2 preauth questions
Chris Hecker
checker at d6.com
Thu Nov 17 18:49:39 EST 2011
1. I'm running into the "NO PREAUTH" problem with the KDC that's
mentioned here:
Greg:
> For reasons I don't personally understand, the "NO PREAUTH" error
> happens when a TGS request with no preauth comes in for a service
> (not client) principal with requires-preauth set.
http://www.mail-archive.com/kerberos@mit.edu/msg15735.html
Here's the relevant code from the 1.9.1 kdc_utils.c:
> /* Check for any kind of preauthentication */
> if (isflagset(server->attributes, KRB5_KDB_REQUIRES_PRE_AUTH) &&
> !isflagset(ticket->enc_part2->flags, TKT_FLG_PRE_AUTH)) {
> *status = "NO PREAUTH";
> return KRB_ERR_GENERIC;
> }
I actually hit this when trying to do a u2u TGS_REQ, because one of my
princs was just created manually instead of by scripts that set
+requires_preauth, while the other was created "correctly", so the u2u
TGS_REQ works one way but not the other (see also #2 below).
Is there any further rationale for the server->attributes check above?
Thinking about it, the flag seems to be doing double duty: for clients
it requires preauth so dictionary attacks aren't possible, and for
services it requires the clients to be preauthed, I guess as an added
security requirement? When doing u2u, this double-duty means all the
client princs need to be set or none of them do, however, or they won't
interoperate.
Added note: If I modprinc +requires_preauth, but the ccache already has
the tgt in it, it still fails at this u2u stage. I have to delete the
ccache and re-get the tgt, which sets the preauth bit in the tgt that
the kdc checks above, I assume? This last thing isn't a problem when I
don't switch requires_preauth after a valid tgt has already been gotten,
but it's non-intuitive behavior, at least.
I assume there's no way to force a preauth at the TGS_REQ phase, so the
request would just take another loop?
2. On a related note, is there any way to default +requires_preauth on
princs? There are password policies, but I didn't see any way to have
attribute policies that would allow +requires_preauth +disallow_svr as
the default for all my princs created through kadmin manually. When I
create accounts using my perl Authen::Krb5::Admin scripts, I set the
flags correctly, of course, it's just sometimes nice to drop into kadmin
quickly to make a test account.
Chris
More information about the Kerberos
mailing list