On Thu, Sep 20, 2012 at 03:47:30PM -0400, Greg Hudson wrote: > On 09/19/2012 04:07 PM, Jack Neely wrote: > > How can I configure a RHEL 6 Kerberos client to use PREAUTH on the > > initial AS_REQ? (We are just using PA-ENC-TIMESTAMP.) > > Unfortunately, you can't, unless you control the code which is getting > initial tickets. If you're just using stock kinit or the like, there's > no runtime configuration option to do optimistic preauthentication. > > If you do control the code which is getting initial tickets, you can use > krb5_get_init_creds_opt_set_preauth_list() to set a list of preauth > types to try optimistically.
Note, if the princ record in the KDB doesn't contain a key for the enctype used to protect the preauth data in the AS_REQ the KDC will send back an error and the show is over at that point. I learned this the hard way when I modified pam_krb5 to do optimistic preauth (I had to remove that logic). -- Will Fiveash Oracle Solaris Software Engineer http://opensolaris.org/os/project/kerberos/ Sent using mutt, a sweet, text based e-mail app <http://www.mutt.org/> ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
