Automatically randomizing principal keys (in preauth plugin)

Luke Howard lukeh at
Wed Mar 23 07:58:23 EDT 2011

> My problem is with the krbPrincipalKey. If it's missing or empty, the
> kdc won't authorize the user (even though the preauth succeeded). So as
> I see it I have two basic options (besides using kadmin):
> 1. Have the preauth plugin check if there's a key available, and if not
>   create a random one and insert it into the database. Is this
>   possible? If so how and where in the plugin should I do it?
> 2. Have all users have the same static (random) key. Here the question
>   is how insecure is it? i.e. I force the use of my preauth plugin as
>   it's the only one installed that provides HW authentication
>   (allegedly). So is this key actually used anywhere?
> Any other suggestion would be appreciated.

What about fixing the real problem, which appears to be that the KDC (or KDB library) requires the user to have a key?

(True this won't work if you can't recompile the KDC.)

-- Luke

More information about the krbdev mailing list