kadm5_rename_principal salt question

John Hascall john at iastate.edu
Tue Sep 25 13:05:32 EDT 2007

> We'd be interested in the resulting code.

    Will do.

>     John> Do we know at what version of the clients this
>     John> salt-awareness appeared?
> It's been there for a long time.  Probably pre-1.0.  The most modern
> form appeared in 1.3, although I'd expect anything newer than 1.2.5 to
> also work well.

   That's good to know.  I think 1.2.5 is the oldest thing we have around.

>     John> Now we have a WebCT system which is authenticating, and
>     John> (unlike most clients which send a preauth-less request
>     John> initially), it includes pre-auth in its initial request.
>     John> But this preauth is using "des-cbc-crc:normal".  So every
>     John> one of these gets a PREAUTH_FAILED log entry in kdc.log
>     John> which makes our log-scanner/IDS think that our WebCT servers
>     John> are constantly attacking.  And, so it's exempted and we'd
>     John> never see a real attack.

> I'm not convinced that you'll avoid preauth_failed for renamed
> principals unfortunately.

      I think we agree.  By adding des-cbc-crc:normal keys
      most principals will work with a single round-trip
      (AS-REQ/AS-REP), but I think it will still work with
      renamed-but-unrepassworded princs just with the same
      are seeing now because we don't have des-cbc-crc:normal

      I can live with a little noise from these principals
      until they change their passwords -- it'll be a vast
      improvement from every single princ doing it.

      I may even change the log message if I see that the salt
      in the DB doesn't match the pw-salt in the padata of the
      AS-REQ which should quiet it down the rest of the way.


More information about the krbdev mailing list