Using PREAUTH on the initial AS_REQ

Alejandro Perez Mendez alex at um.es
Thu Sep 20 16:19:02 EDT 2012


El 20/09/12 21:47, Greg Hudson escribió:
> On 09/19/2012 04:07 PM, Jack Neely wrote:
>> How can I configure a RHEL 6 Kerberos client to use PREAUTH on the
>> initial AS_REQ?  (We are just using PA-ENC-TIMESTAMP.)
> Unfortunately, you can't, unless you control the code which is getting
> initial tickets.  If you're just using stock kinit or the like, there's
> no runtime configuration option to do optimistic preauthentication.
>
> If you do control the code which is getting initial tickets, you can use
> krb5_get_init_creds_opt_set_preauth_list() to set a list of preauth
> types to try optimistically.

Hi,

check the following commit I performed some weeks ago, as part of my GSS 
Preauth plugin. I needed exactly the same so I implemented the 
functionality.

https://github.com/alejandro-perez/krb5/commit/026b76a1208b4e3304e9477a897c6fb798cbc661

After applying this patch, just use -u option with the PA_DATA number 
along with your "kinit" command, as explained in this file
https://github.com/alejandro-perez/krb5/blob/gsspreauth/src/plugins/preauth/gssapi/README.txt

Regards

>
>> As my 1.6.1 KDC doesn't support the PA-REQ-ENC-PA-REP extension,
>> shouldn't it be ignoring the preauth data rather than returning an
>> error?
> It should, and a 1.7 or later KDC will do so.
>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos



More information about the Kerberos mailing list