kadm5_rename_principal salt question
john at iastate.edu
Tue Sep 25 13:05:32 EDT 2007
> We'd be interested in the resulting code.
> John> Do we know at what version of the clients this
> John> salt-awareness appeared?
> It's been there for a long time. Probably pre-1.0. The most modern
> form appeared in 1.3, although I'd expect anything newer than 1.2.5 to
> also work well.
That's good to know. I think 1.2.5 is the oldest thing we have around.
> John> Now we have a WebCT system which is authenticating, and
> John> (unlike most clients which send a preauth-less request
> John> initially), it includes pre-auth in its initial request.
> John> But this preauth is using "des-cbc-crc:normal". So every
> John> one of these gets a PREAUTH_FAILED log entry in kdc.log
> John> which makes our log-scanner/IDS think that our WebCT servers
> John> are constantly attacking. And, so it's exempted and we'd
> John> never see a real attack.
> I'm not convinced that you'll avoid preauth_failed for renamed
> principals unfortunately.
I think we agree. By adding des-cbc-crc:normal keys
most principals will work with a single round-trip
(AS-REQ/AS-REP), but I think it will still work with
renamed-but-unrepassworded princs just with the same
PREAUTH_FAILED, PREAUTH_NEEDED, ISSUE sequence we
are seeing now because we don't have des-cbc-crc:normal
I can live with a little noise from these principals
until they change their passwords -- it'll be a vast
improvement from every single princ doing it.
I may even change the log message if I see that the salt
in the DB doesn't match the pw-salt in the padata of the
AS-REQ which should quiet it down the rest of the way.
More information about the krbdev