Automatically randomizing principal keys (in preauth plugin)
irush at cs.huji.ac.il
Wed Mar 23 07:51:26 EDT 2011
I have a preauth plugin that authenticates the users and replaces the
response key, and I'm using an existing ldap user database for the
backend. I want to create the appropriate kerberos ldap attributes
without kadmin so it'll be easier to maintain.
My problem is with the krbPrincipalKey. If it's missing or empty, the
kdc won't authorize the user (even though the preauth succeeded). So as
I see it I have two basic options (besides using kadmin):
1. Have the preauth plugin check if there's a key available, and if not
create a random one and insert it into the database. Is this
possible? If so how and where in the plugin should I do it?
2. Have all users have the same static (random) key. Here the question
is how insecure is it? i.e. I force the use of my preauth plugin as
it's the only one installed that provides HW authentication
(allegedly). So is this key actually used anywhere?
Any other suggestion would be appreciated.
Thanks in advance,
More information about the krbdev