[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: preauth_always option?

On May 28, 2008, at 1:15 PM, Michael B Allen wrote:

> Hi,
> It seems Windows records a "preauthentication failed" event log error
> when the AS-REQ doesn't include pre-authentication data. This is a  
> benign
> error of course but it confuses people and is generally annoying. My
> understanding is that preauthentication is pretty much required by
> everyone this point no?
> Does anyone have a patch to make get_in_tkt.c always send
> preauthentication data?
> For example, the following could indicate that the client should  
> always
> send KRB5_PADATA_ENC_TIMESTAMP preauthentication data:
>  [libdefaults]
>      preauth_always = 2
> If not I'll make one and post it but I was hoping someone else had  
> done
> this already.
> Mike

I'd like an option like that, no question.

We should at least consider how MIT does it though.  If you use  
krb5_get_init_creds_opt_set_preauth_list() to set the client-allowed  
preauth types, then MIT will preemptively use one of them in the  
initial AS_REQ.  Heimdal "supports" the API, but ignores the list for  
the initial AS-REQ.

If we do something other than support the "standard" API, then I'd  
suggest an option like

	default_initial_preauth_type = timestamp

The current default for that parameter, of course, is "none".  I'm  
assuming that the client is well-behaved when faced with a server that  
e.g. requires PKINIT or SAM2 instead of timestamp preauth.  It should  
still retry with a supported preauth type if the first try isn't  
acceptable, and it *can* talk one of the desired preauth types.

The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu