Using PREAUTH on the initial AS_REQ

Jack Neely jjneely at ncsu.edu
Thu Sep 20 15:09:22 EDT 2012


On Wed, Sep 19, 2012 at 04:07:47PM -0400, Jack Neely wrote:
> Greetings,
> 
> I have a performance issue between my KDCs and our radius servers that
> have very heavy authentication load.  As our principles have PREAUTH
> required there's much more RPC traffic to the KDCs than with PREAUTH
> turned off.  Combined with the kprop happening every 5 minutes our
> radius servers sometimes encounter a 3 or 5 second delay, and with 600
> requests a minute things quickly cascade.
> 
> How can I configure a RHEL 6 Kerberos client to use PREAUTH on the
> initial AS_REQ?  (We are just using PA-ENC-TIMESTAMP.)  Testing with a
> principle that does not require PREAUTH shows a marked performance
> increase.
> 
> Secondly, my KDCs are getting quite a few PREAUTH_FAILED error messages
> which seems to indicate the client used an PREAUTH type the KDC did not
> understand.  Will setting preferred_preauth_types in krb5.conf to use
> PA-ENC-TIMESTAMP first correct this?  What's the right incantation?
> 

Nothing like replying to your own email.  A network capture has reveled
what's happening with the PREAUTH_FAILED error messages.  My newer
clients (krb5 1.9 on RHEL 6) is sending an AS_REQ to my KDCs with a
preauthentication data of type PA-REQ-ENC-PA-REP (149).  

My KDCs are RHEL 5 running krb5 1.6.1 and in this case return error code
KRB5KDC_ERR_PREAUTH_FAILED (24).  At this point the client tries an
AS_REQ with either no preauth or PA-ENC-TIMESTAMP.

As my 1.6.1 KDC doesn't support the PA-REQ-ENC-PA-REP extension,
shouldn't it be ignoring the preauth data rather than returning an
error?

Jack Neely

-- 
Jack Neely <jjneely at ncsu.edu>
Linux Czar, OIT Campus Linux Services
Office of Information Technology, NC State University
GPG Fingerprint: 1917 5AC1 E828 9337 7AA4  EA6B 213B 765F 3B6A 5B89


More information about the Kerberos mailing list