random to key from password
Russ Allbery
rra at stanford.edu
Mon Sep 27 17:27:24 EDT 2010
Nicolas Williams <Nicolas.Williams at oracle.com> writes:
> On Mon, Sep 27, 2010 at 04:22:20PM -0500, Nicolas Williams wrote:
>> On Mon, Sep 27, 2010 at 05:11:38PM -0400, Sam Hartman wrote:
>>> Claim to be a client that only supports DES. This is a random
>>> key--allowing use as a client is supposed to be reasonable even without
>>> preauth.
>> Ah, right. We really need to have a way to say which enctypes a service
>> princ is allowed to use as a client...
> And lacking that, make service princs require pre-auth.
Making service principals require pre-auth is hard if you haven't done
that uniformly from the start of your realm, since once they require
pre-auth, you can't authenticate to them with a non-pre-auth ticket. That
means you have to build a dependency order by starting with the service
principals that never authenticate to other service principals and work
through the list in dependency order, and that's a tricky migration.
We looked at doing that and then gave up.
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the krbdev
mailing list