2 preauth questions

Chris Hecker checker at d6.com
Thu Nov 17 18:49:39 EST 2011


1. I'm running into the "NO PREAUTH" problem with the KDC that's
mentioned here:

Greg:
> For reasons I don't personally understand, the "NO PREAUTH" error
> happens when a TGS request with no preauth comes in for a service
> (not client) principal with requires-preauth set.
http://www.mail-archive.com/kerberos@mit.edu/msg15735.html

Here's the relevant code from the 1.9.1 kdc_utils.c:

>     /* Check for any kind of preauthentication */
>     if (isflagset(server->attributes, KRB5_KDB_REQUIRES_PRE_AUTH) &&
>         !isflagset(ticket->enc_part2->flags, TKT_FLG_PRE_AUTH)) { 
>         *status = "NO PREAUTH";        
>         return KRB_ERR_GENERIC;    
>     }   

I actually hit this when trying to do a u2u TGS_REQ, because one of my
princs was just created manually instead of by scripts that set
+requires_preauth, while the other was created "correctly", so the u2u
TGS_REQ works one way but not the other (see also #2 below).

Is there any further rationale for the server->attributes check above?
Thinking about it, the flag seems to be doing double duty:  for clients
it requires preauth so dictionary attacks aren't possible, and for
services it requires the clients to be preauthed, I guess as an added
security requirement?  When doing u2u, this double-duty means all the
client princs need to be set or none of them do, however, or they won't
interoperate.

Added note:  If I modprinc +requires_preauth, but the ccache already has
the tgt in it, it still fails at this u2u stage.  I have to delete the
ccache and re-get the tgt, which sets the preauth bit in the tgt that
the kdc checks above, I assume?  This last thing isn't a problem when I
don't switch requires_preauth after a valid tgt has already been gotten,
but it's non-intuitive behavior, at least.

I assume there's no way to force a preauth at the TGS_REQ phase, so the
request would just take another loop?

2. On a related note, is there any way to default +requires_preauth on
princs?  There are password policies, but I didn't see any way to have
attribute policies that would allow +requires_preauth +disallow_svr as
the default for all my princs created through kadmin manually.  When I
create accounts using my perl Authen::Krb5::Admin scripts, I set the
flags correctly, of course, it's just sometimes nice to drop into kadmin
quickly to make a test account.

Chris




More information about the Kerberos mailing list