[16713] in Kerberos_V5_Development
Automatically randomizing principal keys (in preauth plugin)
daemon@ATHENA.MIT.EDU (Yair Yarom)
Wed Mar 23 07:51:44 2011
From: Yair Yarom <irush@cs.huji.ac.il>
To: krbdev@mit.edu
Date: Wed, 23 Mar 2011 13:51:26 +0200
Message-ID: <x8q7hbqcawx.fsf@mantis.cs.huji.ac.il>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
Hi all,
I have a preauth plugin that authenticates the users and replaces the
response key, and I'm using an existing ldap user database for the
backend. I want to create the appropriate kerberos ldap attributes
without kadmin so it'll be easier to maintain.
My problem is with the krbPrincipalKey. If it's missing or empty, the
kdc won't authorize the user (even though the preauth succeeded). So as
I see it I have two basic options (besides using kadmin):
1. Have the preauth plugin check if there's a key available, and if not
create a random one and insert it into the database. Is this
possible? If so how and where in the plugin should I do it?
2. Have all users have the same static (random) key. Here the question
is how insecure is it? i.e. I force the use of my preauth plugin as
it's the only one installed that provides HW authentication
(allegedly). So is this key actually used anywhere?
Any other suggestion would be appreciated.
Thanks in advance,
Yair.
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
