[16396] in Kerberos_V5_Development
Re: random to key from password
daemon@ATHENA.MIT.EDU (Russ Allbery)
Mon Sep 27 17:27:28 2010
From: Russ Allbery <rra@stanford.edu>
To: Nicolas Williams <Nicolas.Williams@oracle.com>
In-Reply-To: <20100927212257.GD7858@oracle.com> (Nicolas Williams's message of
"Mon, 27 Sep 2010 16:22:57 -0500")
Date: Mon, 27 Sep 2010 14:27:24 -0700
Message-ID: <87k4m6swqr.fsf@windlord.stanford.edu>
MIME-Version: 1.0
Cc: lha@h5l.org, Sam Hartman <hartmans@mit.edu>, krbdev@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
Nicolas Williams <Nicolas.Williams@oracle.com> writes:
> On Mon, Sep 27, 2010 at 04:22:20PM -0500, Nicolas Williams wrote:
>> On Mon, Sep 27, 2010 at 05:11:38PM -0400, Sam Hartman wrote:
>>> Claim to be a client that only supports DES. This is a random
>>> key--allowing use as a client is supposed to be reasonable even without
>>> preauth.
>> Ah, right. We really need to have a way to say which enctypes a service
>> princ is allowed to use as a client...
> And lacking that, make service princs require pre-auth.
Making service principals require pre-auth is hard if you haven't done
that uniformly from the start of your realm, since once they require
pre-auth, you can't authenticate to them with a non-pre-auth ticket. That
means you have to build a dependency order by starting with the service
principals that never authenticate to other service principals and work
through the list in dependency order, and that's a tricky migration.
We looked at doing that and then gave up.
--
Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
