Automatically randomizing principal keys (in preauth plugin)
lukeh at padl.com
Wed Mar 23 07:58:23 EDT 2011
> My problem is with the krbPrincipalKey. If it's missing or empty, the
> kdc won't authorize the user (even though the preauth succeeded). So as
> I see it I have two basic options (besides using kadmin):
> 1. Have the preauth plugin check if there's a key available, and if not
> create a random one and insert it into the database. Is this
> possible? If so how and where in the plugin should I do it?
> 2. Have all users have the same static (random) key. Here the question
> is how insecure is it? i.e. I force the use of my preauth plugin as
> it's the only one installed that provides HW authentication
> (allegedly). So is this key actually used anywhere?
> Any other suggestion would be appreciated.
What about fixing the real problem, which appears to be that the KDC (or KDB library) requires the user to have a key?
(True this won't work if you can't recompile the KDC.)
More information about the krbdev