Automatically randomizing principal keys (in preauth plugin)

Yair Yarom irush at
Wed Mar 23 07:51:26 EDT 2011

Hi all, 

I have a preauth plugin that authenticates the users and replaces the
response key, and I'm using an existing ldap user database for the
backend. I want to create the appropriate kerberos ldap attributes
without kadmin so it'll be easier to maintain. 

My problem is with the krbPrincipalKey. If it's missing or empty, the
kdc won't authorize the user (even though the preauth succeeded). So as
I see it I have two basic options (besides using kadmin):

1. Have the preauth plugin check if there's a key available, and if not
   create a random one and insert it into the database. Is this
   possible? If so how and where in the plugin should I do it?

2. Have all users have the same static (random) key. Here the question
   is how insecure is it? i.e. I force the use of my preauth plugin as
   it's the only one installed that provides HW authentication
   (allegedly). So is this key actually used anywhere?

Any other suggestion would be appreciated.

Thanks in advance,

More information about the krbdev mailing list