PA Data and KLApi's

Mike Friedman mikef at ack.Berkeley.EDU
Fri Jan 23 13:29:24 EST 2004

On Fri Jan 23 09:29:56 2004, Jeffrey Hutzelman said:

>> What I don't understand is why doing the preauth in response to 'NEEDS
>> PREAUTH' works for this V4 key, but doing preauth on the initial AS
>> request doesn't.  I had to back out my change, because we still do have
>> a bunch of old V4-created principals.
> There are two different errors involved here.  If you send a request 
> without preauth, and the KDC requires it, you get a "preauth required" 
> error.  Along with the error you get various useful bits of information, 
> such as what preauth types are supported by the KDC, what enctype(s) the 
> KDC has keys for you for, and what the salt strings were.  In the case of a 
> principal that was converted from V4 and has never had its password 
> changed, the salt string is '', which is not the same as the default.
> If you send a request with preauth, and there is a problem (for example, 
> you encrypted your timestamp with the wrong key), you get a "preauth 
> failed" error.


Aha, that's exactly what I figured (after I had thought about it
some more).  The essential point here is that the initial 'preauth
required' response from the KDC also contains information to be used
by the client on the subsequent preauth request, to correspond to
the way the V4 key had been created (unsalted, etc.).  This also means
that I can't configure the KDC to accept the default preauth request
in these cases, because the ENC_TIMESTAMP encryption won't correspond
to the key as it appears in the KDC.

So, I guess I'm stuck with the current method as long as I've still
got these infernal old keys in my database (a number of which apparently
belong to current users).  Unfortunately, we couldn't just require these
folks to change their passphrases, because the web page I provide for
that purpose also uses my authentication code.  (Most of our users don't
run their own client Kerberos software).  Therefore, I've had to change
my code back to using the default method.

Thanks for the clarification.


Mike Friedman                             System and Network Security
mikef at ack.Berkeley.EDU                    2484 Shattuck Avenue
1-510-642-1410                            University of California at Berkeley

More information about the krbdev mailing list