SSH and The requires_pre_auth attribute

Dan Mahoney (Gushi) danm at prime.gushi.org
Mon Nov 23 16:41:37 EST 2020


Hey all.

At the day job, we found that a user was able to log in to one system, but 
not another -- and the difference was that everyone who *could* log in had 
the requires_preauth attribute set on their principal, and newuser at DOM.AIN 
didn't.  This was with password, not GSSAPI authentication 
(KerberosAuthentication yes; UsePAM no)

Both hosts were FreeBSD, running 11.4-RELEASE-patchlevelwhatever with the 
default sshd.  Nearly identical sshd_configs.  Both had all the right DNS.

Having figured that out, we went down the rabbit hole of figuring out what 
was different about the hosts: One of the *hosts* kerberos entries, (the 
one they couldn't log into), also had REQUIRES_PRE_AUTH set.

Now, I've only loosely understood what REQUIRES_PRE_AUTH does.  It's an 
offline attack prevention thing.  Reading the O'Reilly Kerberos bit made 
it a bit clearer, and this page made it quite clear:

https://ldapwiki.com/wiki/Kerberos%20Pre-Authentication

None of those docs were on the MIT website.

This (confusing) page is the only mention I could find in the first page 
of google results on the mit website for "Kerberos Preauth":

https://web.mit.edu/kerberos/krb5-1.12/doc/plugindev/clpreauth.html

And nowhere (except on a mailing list post I just found after solving the 
problem) does it say that if you set it on a host, you *must* set it on a 
user.   Nothing mentions ssh.  That could all be made clearer.

https://comp.protocols.kerberos.narkive.com/8TmACXy8/gssapidelegatecredentials-only-works-for-requires-pre-auth-principals

I'm posting this so that hopefully someone in the future will find this.

Now, my questions for y'all:

1) Is my "if it's on the host entry, it must be on the user entry" 
basically accurate?

2) Preauth is a good thing.  We need to go through and set 
requires_pre_auth for every host/foo at DOM.AIM entry and user at DOM.AIN entry 
on our kdc.  I can't find a way to list all princs that have (or don't 
have) a given attribute.  Is there a way?

3) Is there a way to mass set these attributes?

4) Is there a way to make these attributes *the default* when adding a new 
princ? I can define a policy, but not an attribute-set for that policy.

Best,

-Dan

-- 

--------Dan Mahoney--------
Techie,  Sysadmin,  WebGeek
Gushi on efnet/undernet IRC
FB:  fb.com/DanielMahoneyIV
LI:   linkedin.com/in/gushi
Site:  http://www.gushi.org
---------------------------



More information about the Kerberos mailing list