Using PREAUTH on the initial AS_REQ
Will Fiveash
will.fiveash at oracle.com
Thu Sep 20 16:22:48 EDT 2012
On Thu, Sep 20, 2012 at 03:47:30PM -0400, Greg Hudson wrote:
> On 09/19/2012 04:07 PM, Jack Neely wrote:
> > How can I configure a RHEL 6 Kerberos client to use PREAUTH on the
> > initial AS_REQ? (We are just using PA-ENC-TIMESTAMP.)
>
> Unfortunately, you can't, unless you control the code which is getting
> initial tickets. If you're just using stock kinit or the like, there's
> no runtime configuration option to do optimistic preauthentication.
>
> If you do control the code which is getting initial tickets, you can use
> krb5_get_init_creds_opt_set_preauth_list() to set a list of preauth
> types to try optimistically.
Note, if the princ record in the KDB doesn't contain a key for the
enctype used to protect the preauth data in the AS_REQ the KDC will send
back an error and the show is over at that point. I learned this the
hard way when I modified pam_krb5 to do optimistic preauth (I had to
remove that logic).
--
Will Fiveash
Oracle Solaris Software Engineer
http://opensolaris.org/os/project/kerberos/
Sent using mutt, a sweet, text based e-mail app <http://www.mutt.org/>
More information about the Kerberos
mailing list