random to key from password
Nicolas Williams
Nicolas.Williams at oracle.com
Mon Sep 27 18:44:53 EDT 2010
On Mon, Sep 27, 2010 at 03:20:38PM -0700, Russ Allbery wrote:
> Nicolas Williams <Nicolas.Williams at oracle.com> writes:
>
> > At least nowadays all clients should support PA-ENC-TIMESTAMP, so you
> > could revisit your decision. But really, it'd be better to have more
> > knobs here.
>
> The problem wasn't that not all clients support PA-ENC-TIMESTAMP. The
> problem is that if you don't mark a principal as requiring pre-auth, no
> pre-auth will be done, even if the client supports it. Therefore, if you
> set a service principal as requiring pre-auth before setting all
> principals authenticating to that service principal as requiring pre-auth
> (and waiting for existing ticket caches to expire), authentications
> suddenly start failing.
Well, it helps to create all new user principals are requiring pre-auth,
set all clients' krb5.conf to use pre-auth, and then between attrition
and periodic mini-flag days for users on vacation... you'll get to where
you can use the big hammer on the KDC.
Nico
--
More information about the krbdev
mailing list