[16401] in Kerberos_V5_Development


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

Re: random to key from password

daemon@ATHENA.MIT.EDU (Russ Allbery)
Mon Sep 27 18:26:05 2010

From: Russ Allbery <rra@stanford.edu>
To: Nicolas Williams <Nicolas.Williams@oracle.com>
In-Reply-To: <20100927213448.GS9501@oracle.com> (Nicolas Williams's message of
	"Mon, 27 Sep 2010 16:34:49 -0500")
Date: Mon, 27 Sep 2010 15:20:38 -0700
Message-ID: <8739susua1.fsf@windlord.stanford.edu>
MIME-Version: 1.0
Cc: lha@h5l.org, Sam Hartman <hartmans@mit.edu>, krbdev@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu

Nicolas Williams <Nicolas.Williams@oracle.com> writes:

> At least nowadays all clients should support PA-ENC-TIMESTAMP, so you
> could revisit your decision.  But really, it'd be better to have more
> knobs here.

The problem wasn't that not all clients support PA-ENC-TIMESTAMP.  The
problem is that if you don't mark a principal as requiring pre-auth, no
pre-auth will be done, even if the client supports it.  Therefore, if you
set a service principal as requiring pre-auth before setting all
principals authenticating to that service principal as requiring pre-auth
(and waiting for existing ticket caches to expire), authentications
suddenly start failing.

-- 
Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>
_______________________________________________
krbdev mailing list             krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

[16401] in Kerberos_V5_Development

Re: random to key from password

daemon@ATHENA.MIT.EDU (Russ Allbery)Mon Sep 27 18:26:05 2010

daemon@ATHENA.MIT.EDU (Russ Allbery)
Mon Sep 27 18:26:05 2010