[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: preauth_always option?

To: heimdal-discuss@sics.se, Michael B Allen <miallen@ioplex.com>
Subject: Re: preauth_always option?
From: "Henry B. Hotz" <hotz@jpl.nasa.gov>
Date: Wed, 28 May 2008 17:15:13 -0700
In-Reply-To: <20080528161545.3b01bbc5.miallen@ioplex.com>
List-Archive: <http://list.sics.se/sympa/arc/heimdal-discuss>
List-Help: <mailto:sympa@sics.se?subject=help>
List-Id: <heimdal-discuss.sics.se>
List-Owner: <mailto:heimdal-discuss-request@sics.se>
List-Post: <mailto:heimdal-discuss@sics.se>
List-Subscribe: <mailto:sympa@sics.se?subject=subscribe%20heimdal-discuss>
List-Unsubscribe: <mailto:sympa@sics.se?subject=unsubscribe%20heimdal-discuss>
References: <20080528161545.3b01bbc5.miallen@ioplex.com>
Reply-To: heimdal-discuss@sics.se, "Henry B. Hotz" <hotz@jpl.nasa.gov>

On May 28, 2008, at 1:15 PM, Michael B Allen wrote:

> Hi,
>
> It seems Windows records a "preauthentication failed" event log error
> when the AS-REQ doesn't include pre-authentication data. This is a  
> benign
> error of course but it confuses people and is generally annoying. My
> understanding is that preauthentication is pretty much required by
> everyone this point no?
>
> Does anyone have a patch to make get_in_tkt.c always send
> preauthentication data?
>
> For example, the following could indicate that the client should  
> always
> send KRB5_PADATA_ENC_TIMESTAMP preauthentication data:
>
>  [libdefaults]
>      preauth_always = 2
>
> If not I'll make one and post it but I was hoping someone else had  
> done
> this already.
>
> Mike

I'd like an option like that, no question.

We should at least consider how MIT does it though.  If you use  
krb5_get_init_creds_opt_set_preauth_list() to set the client-allowed  
preauth types, then MIT will preemptively use one of them in the  
initial AS_REQ.  Heimdal "supports" the API, but ignores the list for  
the initial AS-REQ.

If we do something other than support the "standard" API, then I'd  
suggest an option like

[libdefaults]
	default_initial_preauth_type = timestamp

The current default for that parameter, of course, is "none".  I'm  
assuming that the client is well-behaved when faced with a server that  
e.g. requires PKINIT or SAM2 instead of timestamp preauth.  It should  
still retry with a supported preauth type if the first try isn't  
acceptable, and it *can* talk one of the desired preauth types.

------------------------------------------------------
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu

Follow-Ups:
- Re: preauth_always option?
  - From: Michael B Allen <miallen@ioplex.com>

References:
- preauth_always option?
  - From: Michael B Allen <miallen@ioplex.com>

Prev by Date: Contact List of geriatric specialists and many more specialties
Next by Date: Re: preauth_always option?
Prev by thread: preauth_always option?
Next by thread: Re: preauth_always option?
Index(es):
- Date
- Thread