Using PREAUTH on the initial AS_REQ

Will Fiveash will.fiveash at oracle.com
Thu Sep 20 16:22:48 EDT 2012


On Thu, Sep 20, 2012 at 03:47:30PM -0400, Greg Hudson wrote:
> On 09/19/2012 04:07 PM, Jack Neely wrote:
> > How can I configure a RHEL 6 Kerberos client to use PREAUTH on the
> > initial AS_REQ?  (We are just using PA-ENC-TIMESTAMP.)
> 
> Unfortunately, you can't, unless you control the code which is getting
> initial tickets.  If you're just using stock kinit or the like, there's
> no runtime configuration option to do optimistic preauthentication.
> 
> If you do control the code which is getting initial tickets, you can use
> krb5_get_init_creds_opt_set_preauth_list() to set a list of preauth
> types to try optimistically.

Note, if the princ record in the KDB doesn't contain a key for the
enctype used to protect the preauth data in the AS_REQ the KDC will send
back an error and the show is over at that point.  I learned this the
hard way when I modified  pam_krb5 to do optimistic preauth (I had to
remove that logic).

-- 
Will Fiveash
Oracle Solaris Software Engineer
http://opensolaris.org/os/project/kerberos/
Sent using mutt, a sweet, text based e-mail app <http://www.mutt.org/>


More information about the Kerberos mailing list