random to key from password
Russ Allbery
rra at stanford.edu
Mon Sep 27 19:12:15 EDT 2010
Nicolas Williams <Nicolas.Williams at oracle.com> writes:
> On Mon, Sep 27, 2010 at 03:49:15PM -0700, Russ Allbery wrote:
>> This still doesn't work: previously created service principals then
>> can't authenticate to any new service created after one started setting
>> pre-auth by default.
> Yes they can: their client krb5.conf says to do pre-auth.
Hm, this is a krb5.conf setting with which I was not previously familiar
and which so far as I can tell does not appear in the krb5.conf man page.
What's the name of it?
> (Also, I meant first get the user principals to have requires-preauth.
This is way easier; you can generally just set it, since nothing
authenticates *to* a user principal at most sites.
> Typically one has more control over servers than clients, so flag days
> for servers, where you re-kinit them then mark them requires-preauth,
> are much easier to handle.)
There's no way that we could do a flag day for servers. I must not be
understanding what you mean by this.
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the krbdev
mailing list