I am one of many administrators for a network of 50 machines running MIT Kerberos on Solaris. Recently, another administrator installed a Cisco VPN Magic Box that supposedly uses Kerberos authentication, but won't work unless preauthentication is turned off. With preauthentication turned off for any given principal, ticket forwarding no longer works for that principal. I guess my question is threefold:
1. What does preauth _actually_ do? From some reading, I believed it to be based on clock skew, and fixed the clock skew between the VPN box and the Kerberos server, but preauth still fails. All the KDC logs say is that preauth is required just as they would for a successful kinit, but with no successful kinit afterward. Of course, all the Cisco box gives me is "Authentication Failure." Unfortunately, I do not have a choice as to whether or not to use this product. 2. Assuming I have no choice but to turn off preauth for the Cisco box, is there any way to make SSH ticket forwarding work with preauth turned off? It works just fine as my system stands with preauth turned on, but when preauth goes off, ticket forwarding stops working. This makes sense as a security feature and I realize I am shooting myself in the foot, but I am being ordered to shoot myself in the foot, and I am trying to minimize immediate bleeding. :) 3. Does anyone have experience making MIT Kerberos work with a Cisco VPN 3000? I've looked through the Cisco documentation and it doesn't mention preauth or really much of anything except how to format your @ signs. Any suggestions would be greatly appreciated; thank you. -r.
signature.asc
Description: Digital signature
________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
