[16405] in Kerberos_V5_Development
Re: random to key from password
daemon@ATHENA.MIT.EDU (Russ Allbery)
Mon Sep 27 19:12:25 2010
From: Russ Allbery <rra@stanford.edu>
To: Nicolas Williams <Nicolas.Williams@oracle.com>
In-Reply-To: <20100927225942.GX9501@oracle.com> (Nicolas Williams's message of
"Mon, 27 Sep 2010 17:59:42 -0500")
Date: Mon, 27 Sep 2010 16:12:15 -0700
Message-ID: <87eicerdbk.fsf@windlord.stanford.edu>
MIME-Version: 1.0
Cc: lha@h5l.org, Sam Hartman <hartmans@mit.edu>, krbdev@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
Nicolas Williams <Nicolas.Williams@oracle.com> writes:
> On Mon, Sep 27, 2010 at 03:49:15PM -0700, Russ Allbery wrote:
>> This still doesn't work: previously created service principals then
>> can't authenticate to any new service created after one started setting
>> pre-auth by default.
> Yes they can: their client krb5.conf says to do pre-auth.
Hm, this is a krb5.conf setting with which I was not previously familiar
and which so far as I can tell does not appear in the krb5.conf man page.
What's the name of it?
> (Also, I meant first get the user principals to have requires-preauth.
This is way easier; you can generally just set it, since nothing
authenticates *to* a user principal at most sites.
> Typically one has more control over servers than clients, so flag days
> for servers, where you re-kinit them then mark them requires-preauth,
> are much easier to handle.)
There's no way that we could do a flag day for servers. I must not be
understanding what you mean by this.
--
Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
