[32265] in Kerberos
Re: Configuring preauth
daemon@ATHENA.MIT.EDU (Tom Parker)
Thu Apr 15 14:23:38 2010
Message-ID: <4BC759A2.1040105@cbnco.com>
Date: Thu, 15 Apr 2010 14:23:30 -0400
From: Tom Parker <tparker@cbnco.com>
MIME-Version: 1.0
To: Jeff Blaine <jblaine@kickflop.net>
In-Reply-To: <4BC75773.2050408@kickflop.net>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
>From my understanding you need to enable preauth per principal.
When I enabled preauth on my server I had to write a little script that
added the +require_preauth to my users:
#!/bin/sh
USERS=$(echo "get_principals" | kadmin.local | grep -v \/ | grep -v
kadmin.local:)
### Note 'grep -v \/' is a \ and / not the letter V.
OPTIONS="+requires_preauth"
for PRINCIPAL in $USERS
do
echo "Updating $PRINCIPAL"
echo "modify_principal $OPTIONS $PRINCIPAL" | kadmin.local
>/dev/null
done
I also set
[realms]
MYREALM.COM
default_principal_flags = +preauth
in my kdc.conf to automatically add the +require_preauth flag to any new
principals.
Hope this helps.
On 04/15/2010 02:14 PM, Jeff Blaine wrote:
> MIT Kerberos 1.8, all Linux for now, custom build
>
> It's my understanding that the existence of a preauth
> module in lib/krb5/plugins makes the module required.
>
> Is that correct? I bet it's not, and if so, I would
> love to have someone explain what reality is.
>
> Is there any documentation on configuring preauth at
> all? I already found +require_preauth as part of
> addprinc/modprinc
>
> Thanks for any help!
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
