> Yes, it is, with one of the duties having questionable benefits. > It's not a good situation, but it's also difficult to change without > potentially lowering the security of existing deployments, which > we're very conservative about.
Understandably. :) Maybe at least there should be something added to the documentation, since if you either a) set +requires_preauth on a service princ (which has been suggested before on this list occasionally without any discussion of this issue nearby, so it might catch people), or b) use u2u between clients, then you basically need to make sure _everybody_ has +requires_preauth set or you're going to get weird TGS_REQ failures. One other thing that would have helped me is to switch this error from KRB5KRB_ERR_GENERIC to something that can be reasoned about on the client side. I had to trace through the creds code on the client, find it was coming from the KDC, look at the KDC logs, then the source, and then search to actually get the whole picture of what was going on. Could it be switched to KRB5KDC_ERR_PREAUTH_REQUIRED, with better text maybe, or make a new error if that would be too overloaded? Chris On 2011/11/18 07:36, Greg Hudson wrote: > On 11/17/2011 06:49 PM, Chris Hecker wrote: >> Thinking about it, the flag seems to be doing double duty > > Yes, it is, with one of the duties having questionable benefits. It's > not a good situation, but it's also difficult to change without > potentially lowering the security of existing deployments, which we're > very conservative about. > >> 2. On a related note, is there any way to default +requires_preauth on >> princs? > > The default_principal_flags setting Dennis mentioned is the only knob we > currently have, with the proviso that (1) any flag specified in kadmin > commands will completely override, rather than amend, the default flags, > and (2) the flags will apply to all created principals; there's no way > to distinguish between users and servers. > > I've been considering adding a config variable which turns on specified > flags (or maybe just +requires_preauth, -allow_svr) only for principals > with password-derived keys which aren't krbtgt instances. (Cross TGT > principals are generally created with password-derived keys because > there's no other way to force the same key on both KDCs. But you need > them to work as server principals, so you just have to pick a really > good password.) > ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
