Using PREAUTH on the initial AS_REQ
Greg Hudson
ghudson at MIT.EDU
Thu Sep 20 15:47:30 EDT 2012
On 09/19/2012 04:07 PM, Jack Neely wrote:
> How can I configure a RHEL 6 Kerberos client to use PREAUTH on the
> initial AS_REQ? (We are just using PA-ENC-TIMESTAMP.)
Unfortunately, you can't, unless you control the code which is getting
initial tickets. If you're just using stock kinit or the like, there's
no runtime configuration option to do optimistic preauthentication.
If you do control the code which is getting initial tickets, you can use
krb5_get_init_creds_opt_set_preauth_list() to set a list of preauth
types to try optimistically.
> As my 1.6.1 KDC doesn't support the PA-REQ-ENC-PA-REP extension,
> shouldn't it be ignoring the preauth data rather than returning an
> error?
It should, and a 1.7 or later KDC will do so.
More information about the Kerberos
mailing list