2 preauth questions
Greg Hudson
ghudson at MIT.EDU
Fri Nov 18 10:36:04 EST 2011
On 11/17/2011 06:49 PM, Chris Hecker wrote:
> Thinking about it, the flag seems to be doing double duty
Yes, it is, with one of the duties having questionable benefits. It's
not a good situation, but it's also difficult to change without
potentially lowering the security of existing deployments, which we're
very conservative about.
> 2. On a related note, is there any way to default +requires_preauth on
> princs?
The default_principal_flags setting Dennis mentioned is the only knob we
currently have, with the proviso that (1) any flag specified in kadmin
commands will completely override, rather than amend, the default flags,
and (2) the flags will apply to all created principals; there's no way
to distinguish between users and servers.
I've been considering adding a config variable which turns on specified
flags (or maybe just +requires_preauth, -allow_svr) only for principals
with password-derived keys which aren't krbtgt instances. (Cross TGT
principals are generally created with password-derived keys because
there's no other way to force the same key on both KDCs. But you need
them to work as server principals, so you just have to pick a really
good password.)
More information about the Kerberos
mailing list