[16402] in Kerberos_V5_Development
Re: random to key from password
daemon@ATHENA.MIT.EDU (Nicolas Williams)
Mon Sep 27 18:47:03 2010
Date: Mon, 27 Sep 2010 17:44:53 -0500
From: Nicolas Williams <Nicolas.Williams@oracle.com>
To: Russ Allbery <rra@stanford.edu>
Message-ID: <20100927224453.GW9501@oracle.com>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <8739susua1.fsf@windlord.stanford.edu>
Cc: lha@h5l.org, Sam Hartman <hartmans@mit.edu>, krbdev@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
On Mon, Sep 27, 2010 at 03:20:38PM -0700, Russ Allbery wrote:
> Nicolas Williams <Nicolas.Williams@oracle.com> writes:
>
> > At least nowadays all clients should support PA-ENC-TIMESTAMP, so you
> > could revisit your decision. But really, it'd be better to have more
> > knobs here.
>
> The problem wasn't that not all clients support PA-ENC-TIMESTAMP. The
> problem is that if you don't mark a principal as requiring pre-auth, no
> pre-auth will be done, even if the client supports it. Therefore, if you
> set a service principal as requiring pre-auth before setting all
> principals authenticating to that service principal as requiring pre-auth
> (and waiting for existing ticket caches to expire), authentications
> suddenly start failing.
Well, it helps to create all new user principals are requiring pre-auth,
set all clients' krb5.conf to use pre-auth, and then between attrition
and periodic mini-flag days for users on vacation... you'll get to where
you can use the big hammer on the KDC.
Nico
--
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
