2 preauth questions

Chris Hecker checker at d6.com
Fri Nov 18 12:14:36 EST 2011


> Yes, it is, with one of the duties having questionable benefits.
> It's not a good situation, but it's also difficult to change without 
> potentially lowering the security of existing deployments, which
> we're very conservative about.

Understandably.  :)  Maybe at least there should be something added to
the documentation, since if you either a) set +requires_preauth on a
service princ (which has been suggested before on this list occasionally
without any discussion of this issue nearby, so it might catch people),
or b) use u2u between clients, then you basically need to make sure
_everybody_ has +requires_preauth set or you're going to get weird
TGS_REQ failures.

One other thing that would have helped me is to switch this error from
KRB5KRB_ERR_GENERIC to something that can be reasoned about on the
client side.  I had to trace through the creds code on the client, find
it was coming from the KDC, look at the KDC logs, then the source, and
then search to actually get the whole picture of what was going on.
Could it be switched to KRB5KDC_ERR_PREAUTH_REQUIRED, with better text
maybe, or make a new error if that would be too overloaded?

Chris


On 2011/11/18 07:36, Greg Hudson wrote:
> On 11/17/2011 06:49 PM, Chris Hecker wrote:
>> Thinking about it, the flag seems to be doing double duty
> 
> Yes, it is, with one of the duties having questionable benefits.  It's
> not a good situation, but it's also difficult to change without
> potentially lowering the security of existing deployments, which we're
> very conservative about.
> 
>> 2. On a related note, is there any way to default +requires_preauth on
>> princs?
> 
> The default_principal_flags setting Dennis mentioned is the only knob we
> currently have, with the proviso that (1) any flag specified in kadmin
> commands will completely override, rather than amend, the default flags,
> and (2) the flags will apply to all created principals; there's no way
> to distinguish between users and servers.
> 
> I've been considering adding a config variable which turns on specified
> flags (or maybe just +requires_preauth, -allow_svr) only for principals
> with password-derived keys which aren't krbtgt instances.  (Cross TGT
> principals are generally created with password-derived keys because
> there's no other way to force the same key on both KDCs.  But you need
> them to work as server principals, so you just have to pick a really
> good password.)
> 



More information about the Kerberos mailing list