Configuring preauth

Tom Parker tparker at cbnco.com
Thu Apr 15 14:23:30 EDT 2010


>From my understanding you need to enable preauth per principal. 

When I enabled preauth on my server I had to write a little script that
added the +require_preauth to my users:

#!/bin/sh
USERS=$(echo "get_principals" | kadmin.local | grep -v \/ | grep -v
kadmin.local:)    
### Note 'grep -v \/' is a \ and / not the letter V.
OPTIONS="+requires_preauth"

for PRINCIPAL in $USERS
do
        echo "Updating $PRINCIPAL"
        echo "modify_principal $OPTIONS $PRINCIPAL" | kadmin.local
>/dev/null
done

I also set

[realms]
    MYREALM.COM
        default_principal_flags = +preauth

in my kdc.conf to automatically add the +require_preauth flag to any new
principals.

Hope this helps.


On 04/15/2010 02:14 PM, Jeff Blaine wrote:
> MIT Kerberos 1.8, all Linux for now, custom build
>
> It's my understanding that the existence of a preauth
> module in lib/krb5/plugins makes the module required.
>
> Is that correct?  I bet it's not, and if so, I would
> love to have someone explain what reality is.
>
> Is there any documentation on configuring preauth at
> all?  I already found +require_preauth as part of
> addprinc/modprinc
>
> Thanks for any help!
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>   



More information about the Kerberos mailing list