random to key from password

[Nicolas Williams]

On Mon, Sep 27, 2010 at 03:49:15PM -0700, Russ Allbery wrote:
> Nicolas Williams <Nicolas.Williams at oracle.com> writes:
> > On Mon, Sep 27, 2010 at 03:20:38PM -0700, Russ Allbery wrote:
> 
> >> The problem wasn't that not all clients support PA-ENC-TIMESTAMP.  The
> >> problem is that if you don't mark a principal as requiring pre-auth, no
> >> pre-auth will be done, even if the client supports it.  Therefore, if
> >> you set a service principal as requiring pre-auth before setting all
> >> principals authenticating to that service principal as requiring
> >> pre-auth (and waiting for existing ticket caches to expire),
> >> authentications suddenly start failing.
> 
> > Well, it helps to create all new user principals are requiring pre-auth,
> > set all clients' krb5.conf to use pre-auth, and then between attrition
> > and periodic mini-flag days for users on vacation... you'll get to where
> > you can use the big hammer on the KDC.
> 
> This still doesn't work: previously created service principals then can't
> authenticate to any new service created after one started setting pre-auth
> by default.

Yes they can: their client krb5.conf says to do pre-auth.

(Also, I meant first get the user principals to have requires-preauth.
Typically one has more control over servers than clients, so flag days
for servers, where you re-kinit them then mark them requires-preauth,
are much easier to handle.)

> We really did try this, and I don't think there's any way to do the
> transition when the two flags have mingled meaning without working out the
> dependency order of all of one's service principals.

So have I (though I grant that this is long in the past for me now).

Nico
--