[krbdev.mit.edu #8676] RFE: [realms] should support an "always_use_preauth" option
James Ralston via RT
rt-comment at KRBDEV-PROD-APP-1.mit.edu
Mon Apr 30 11:16:02 EDT 2018
Anyone who has watched the MIT Kerberos library speak to a Microsoft
Active Directory KDC knows that performing a simple kinit requires a
13-packet exchange:
---------------------------------------------------------
packet TCP Kerberos
number who proto options protocol
---------------------------------------------------------
1 C UDP AS-REQ (no preauth)
2 S UDP KRB5KDC_PREAUTH_REQUIRED
3 C UDP AS-REQ (with preauth)
4 S UDP KRB5KRB_ERR_RESPONSE_TOO_BIG
5 C TCP SYN
6 S TCP SYN/ACK
7 C TCP ACK
8 C TCP PSH/ACK AS-REQ (with preauth)
9 S TCP PSH/ACK AS-REP
10 C TCP ACK
11 C TCP FIN/ACK
12 S TCP ACK
13 S TCP RST/ACK
---------------------------------------------------------
The first (UDP-based) exchange fails because the MIT Kerberos library
doesn't use preauth. The second exchange fails because virtually all
responses from a Microsoft Active Directory KDC will include a PAC,
and thus will be unable to fit within a UDP packet.
There is a [libdefaults] option, udp_preference_limit, that can be
used to tell the MIT Kerberos library to always use TCP instead of
UDP. But when speaking to an Active Directory KDC, setting that
option to 0 (to always force TCP) in fact makes the exchange *worse*,
not better:
---------------------------------------------------------
packet TCP Kerberos
number who proto options protocol
---------------------------------------------------------
1 C TCP SYN
2 S TCP SYN/ACK
3 C TCP ACK
4 C TCP PSH/ACK AS-REQ (no preauth)
5 S TCP PSH/ACK KRB5KDC_PREAUTH_REQUIRED
6 C TCP ACK
7 C TCP FIN/ACK
8 S TCP ACK
9 S TCP RST/ACK
10 C TCP SYN
11 S TCP SYN/ACK
12 C TCP ACK
13 C TCP PSH/ACK AS-REQ (with preauth)
14 S TCP PSH/ACK AS-REP
15 C TCP ACK
16 C TCP FIN/ACK
17 S TCP ACK
18 S TCP RST/ACK
---------------------------------------------------------
Rather than taking 2 UDP packets to discover that preauth is required,
it takes 9 TCP packets.
If there were a [realms]-specific option for the administrator to tell
the MIT Kerberos library that a specific realm *always* requires
preauth, then the useless KRB5KDC_PREAUTH_REQUIRED exchange (2 UDP
packets or 9 TCP packets) could be avoided. Combined with setting
udp_preference_limit, this could meaningfully reduce the packet
exchange count required for an initial kinit:
---------------------------------------------------------
packet TCP Kerberos
number who proto options protocol
---------------------------------------------------------
1 C TCP SYN
2 S TCP SYN/ACK
3 C TCP ACK
4 C TCP PSH/ACK AS-REQ (with preauth)
5 S TCP PSH/ACK AS-REP
6 C TCP ACK
7 C TCP FIN/ACK
8 S TCP ACK
9 S TCP RST/ACK
---------------------------------------------------------
Therefore, please consider adding a [realms]-specific option to force
the MIT Kerberos libraries to always use preauth when talking to the
KDCs for the realm in question.
More information about the krb5-bugs
mailing list