random to key from password
Nicolas Williams
Nicolas.Williams at oracle.com
Mon Sep 27 17:34:49 EDT 2010
On Mon, Sep 27, 2010 at 02:27:24PM -0700, Russ Allbery wrote:
> Nicolas Williams <Nicolas.Williams at oracle.com> writes:
> > And lacking that, make service princs require pre-auth.
>
> Making service principals require pre-auth is hard if you haven't done
> that uniformly from the start of your realm, since once they require
> pre-auth, you can't authenticate to them with a non-pre-auth ticket. That
> means you have to build a dependency order by starting with the service
> principals that never authenticate to other service principals and work
> through the list in dependency order, and that's a tricky migration.
> We looked at doing that and then gave up.
*sigh*
All this one-knob-controls-two-things stuff is annoying. Yes, often
that leads to fewer knobs, and fewer knobs is almost always better. But
some times conflating of related-but-different things does create
problems. Here we have a couple of instances: a) list of long-term
enctypes implies {enctypes supported for session keys, enctypes allowed
when acting as a client}, b) requires-preauth implies {must be pre-
authenticated when acting as a client, clients of this princ must be
pre-authenticated}.
At least nowadays all clients should support PA-ENC-TIMESTAMP, so you
could revisit your decision. But really, it'd be better to have more
knobs here.
Nico
--
More information about the krbdev
mailing list