On 11/17/2011 06:49 PM, Chris Hecker wrote: > Thinking about it, the flag seems to be doing double duty
Yes, it is, with one of the duties having questionable benefits. It's not a good situation, but it's also difficult to change without potentially lowering the security of existing deployments, which we're very conservative about. > 2. On a related note, is there any way to default +requires_preauth on > princs? The default_principal_flags setting Dennis mentioned is the only knob we currently have, with the proviso that (1) any flag specified in kadmin commands will completely override, rather than amend, the default flags, and (2) the flags will apply to all created principals; there's no way to distinguish between users and servers. I've been considering adding a config variable which turns on specified flags (or maybe just +requires_preauth, -allow_svr) only for principals with password-derived keys which aren't krbtgt instances. (Cross TGT principals are generally created with password-derived keys because there's no other way to force the same key on both KDCs. But you need them to work as server principals, so you just have to pick a really good password.) ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
