[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: preauth_always option?

To: "Henry B. Hotz" <hotz@jpl.nasa.gov>
Subject: Re: preauth_always option?
From: Michael B Allen <miallen@ioplex.com>
Date: Wed, 28 May 2008 20:30:11 -0400
Cc: heimdal-discuss@sics.se
In-Reply-To: <F634AF1E-7708-457A-A7E8-28A5CA124F05@jpl.nasa.gov>
List-Archive: <http://list.sics.se/sympa/arc/heimdal-discuss>
List-Help: <mailto:sympa@sics.se?subject=help>
List-Id: <heimdal-discuss.sics.se>
List-Owner: <mailto:heimdal-discuss-request@sics.se>
List-Post: <mailto:heimdal-discuss@sics.se>
List-Subscribe: <mailto:sympa@sics.se?subject=subscribe%20heimdal-discuss>
List-Unsubscribe: <mailto:sympa@sics.se?subject=unsubscribe%20heimdal-discuss>
Organization: IOPLEX Software
References: <20080528161545.3b01bbc5.miallen@ioplex.com><F634AF1E-7708-457A-A7E8-28A5CA124F05@jpl.nasa.gov>
Reply-To: heimdal-discuss@sics.se, Michael B Allen <miallen@ioplex.com>

On Wed, 28 May 2008 17:15:13 -0700
"Henry B. Hotz" <hotz@jpl.nasa.gov> wrote:

> 
> On May 28, 2008, at 1:15 PM, Michael B Allen wrote:
> 
> > Hi,
> >
> > It seems Windows records a "preauthentication failed" event log error
> > when the AS-REQ doesn't include pre-authentication data. This is a  
> > benign
> > error of course but it confuses people and is generally annoying. My
> > understanding is that preauthentication is pretty much required by
> > everyone this point no?
> >
> > Does anyone have a patch to make get_in_tkt.c always send
> > preauthentication data?
> >
> > For example, the following could indicate that the client should  
> > always
> > send KRB5_PADATA_ENC_TIMESTAMP preauthentication data:
> >
> >  [libdefaults]
> >      preauth_always = 2
> >
> > If not I'll make one and post it but I was hoping someone else had  
> > done
> > this already.
> >
> > Mike
> 
> I'd like an option like that, no question.
> 
> We should at least consider how MIT does it though.  If you use  
> krb5_get_init_creds_opt_set_preauth_list() to set the client-allowed  
> preauth types, then MIT will preemptively use one of them in the  
> initial AS_REQ.  Heimdal "supports" the API, but ignores the list for  
> the initial AS-REQ.
> 
> If we do something other than support the "standard" API, then I'd  
> suggest an option like
> 
> [libdefaults]
> 	default_initial_preauth_type = timestamp
> 
> The current default for that parameter, of course, is "none".  I'm  
> assuming that the client is well-behaved when faced with a server that  
> e.g. requires PKINIT or SAM2 instead of timestamp preauth.  It should  
> still retry with a supported preauth type if the first try isn't  
> acceptable, and it *can* talk one of the desired preauth types.

Good points. I'll try to copy the MIT code.

Mike

-- 
Michael B Allen
PHP Active Directory SPNEGO SSO
http://www.ioplex.com/

References:
- preauth_always option?
  - From: Michael B Allen <miallen@ioplex.com>
- Re: preauth_always option?
  - From: "Henry B. Hotz" <hotz@jpl.nasa.gov>

Prev by Date: Re: preauth_always option?
Next by Date: Re: Heimdal 1.1 telnetd broken under Solaris 10
Prev by thread: Re: preauth_always option?
Next by thread: Re: preauth_always option?
Index(es):
- Date
- Thread