SSH and The requires_pre_auth attribute
Dan Mahoney (Gushi)
danm at prime.gushi.org
Mon Nov 23 16:41:37 EST 2020
Hey all.
At the day job, we found that a user was able to log in to one system, but
not another -- and the difference was that everyone who *could* log in had
the requires_preauth attribute set on their principal, and newuser at DOM.AIN
didn't. This was with password, not GSSAPI authentication
(KerberosAuthentication yes; UsePAM no)
Both hosts were FreeBSD, running 11.4-RELEASE-patchlevelwhatever with the
default sshd. Nearly identical sshd_configs. Both had all the right DNS.
Having figured that out, we went down the rabbit hole of figuring out what
was different about the hosts: One of the *hosts* kerberos entries, (the
one they couldn't log into), also had REQUIRES_PRE_AUTH set.
Now, I've only loosely understood what REQUIRES_PRE_AUTH does. It's an
offline attack prevention thing. Reading the O'Reilly Kerberos bit made
it a bit clearer, and this page made it quite clear:
https://ldapwiki.com/wiki/Kerberos%20Pre-Authentication
None of those docs were on the MIT website.
This (confusing) page is the only mention I could find in the first page
of google results on the mit website for "Kerberos Preauth":
https://web.mit.edu/kerberos/krb5-1.12/doc/plugindev/clpreauth.html
And nowhere (except on a mailing list post I just found after solving the
problem) does it say that if you set it on a host, you *must* set it on a
user. Nothing mentions ssh. That could all be made clearer.
https://comp.protocols.kerberos.narkive.com/8TmACXy8/gssapidelegatecredentials-only-works-for-requires-pre-auth-principals
I'm posting this so that hopefully someone in the future will find this.
Now, my questions for y'all:
1) Is my "if it's on the host entry, it must be on the user entry"
basically accurate?
2) Preauth is a good thing. We need to go through and set
requires_pre_auth for every host/foo at DOM.AIM entry and user at DOM.AIN entry
on our kdc. I can't find a way to list all princs that have (or don't
have) a given attribute. Is there a way?
3) Is there a way to mass set these attributes?
4) Is there a way to make these attributes *the default* when adding a new
princ? I can define a policy, but not an attribute-set for that policy.
Best,
-Dan
--
--------Dan Mahoney--------
Techie, Sysadmin, WebGeek
Gushi on efnet/undernet IRC
FB: fb.com/DanielMahoneyIV
LI: linkedin.com/in/gushi
Site: http://www.gushi.org
---------------------------
More information about the Kerberos
mailing list