[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: preauth_always option?

To: Ken Raeburn <raeburn@MIT.EDU>
Subject: Re: preauth_always option?
From: Michael B Allen <miallen@ioplex.com>
Date: Thu, 29 May 2008 14:19:39 -0400
Cc: heimdal-discuss@sics.se, "Douglas E. Engert" <deengert@anl.gov>, LoveHörnquist Åstrand <lha@kth.se>
In-Reply-To: <45A5967E-75F1-4AF8-BB3C-52C7BD6D0B30@mit.edu>
List-Archive: <http://list.sics.se/sympa/arc/heimdal-discuss>
List-Help: <mailto:sympa@sics.se?subject=help>
List-Id: <heimdal-discuss.sics.se>
List-Owner: <mailto:heimdal-discuss-request@sics.se>
List-Post: <mailto:heimdal-discuss@sics.se>
List-Subscribe: <mailto:sympa@sics.se?subject=subscribe%20heimdal-discuss>
List-Unsubscribe: <mailto:sympa@sics.se?subject=unsubscribe%20heimdal-discuss>
Organization: IOPLEX Software
References: <20080528161545.3b01bbc5.miallen@ioplex.com><92911A79-07C9-448A-BBF7-9306024E0EAF@kth.se><20080528223229.2f8c0aa4.miallen@ioplex.com><483EB7C2.7090305@anl.gov><45A5967E-75F1-4AF8-BB3C-52C7BD6D0B30@mit.edu>
Reply-To: heimdal-discuss@sics.se, Michael B Allen <miallen@ioplex.com>

On Thu, 29 May 2008 12:26:26 -0400
Ken Raeburn <raeburn@MIT.EDU> wrote:

> On May 29, 2008, at 10:03, Douglas E. Engert wrote:
> > Michael B Allen wrote:
> >> On Wed, 28 May 2008 18:55:26 -0700
> >> Love Hörnquist Åstrand <lha@kth.se> wrote:
> >>>> If not I'll make one and post it but I was hoping someone else  
> >>>> had  done
> >>>> this already
> >>> The problem with sending preauth data is that you get back an  
> >>> error if  you guess wrong salting.
> >>>
> >>> And its usually and error w/o the ETYPE_INFO(2) that hints want  
> >>> salt  to use.
> >> I do not think that should be too much of a problem.
> >
> > Java-1.4 had this same problem with Windows AD as the KDC. The  
> > client assumed
> > it knew the salt for a DES key, and sent the timestamp encrypted  
> > with the wron
> > key which produced an failed error. But the client did not retry.
> > Java-1.6 fixes the problem.
> 
> I was talking with someone last night about some similar stuff for the  
> MIT implementation.  One idea we were kicking around was to cache per- 
> principal or per-user information on a client (with caveats about user  
> privacy issues) so that, for example, kinit (or login/pam) could first  
> try authenticating using the preauth scheme and enctype and salt (and  
> whatever else) that were used the last time for the same user.

It had occured to me that the "salt hint" should be dealt with outside the
get_in_tkt loop. But it's not obvious to me as to how one can retrieve the
ETYPE_INFO after a successful AS-REQ such that it can be cached in some
way whether it by in a static variable or a file on the client. I suppose
there could be a set of krb5_get_init_creds_opt_{get,set}_etype_info
functions.

Mike

-- 
Michael B Allen
PHP Active Directory SPNEGO SSO
http://www.ioplex.com/

Follow-Ups:
- Re: preauth_always option?
  - From: "Henry B. Hotz" <hotz@jpl.nasa.gov>
- Re: preauth_always option?
  - From: Ken Raeburn <raeburn@MIT.EDU>

References:
- preauth_always option?
  - From: Michael B Allen <miallen@ioplex.com>
- Re: preauth_always option?
  - From: Love Hörnquist Åstrand <lha@kth.se>
- Re: preauth_always option?
  - From: Michael B Allen <miallen@ioplex.com>
- Re: preauth_always option?
  - From: "Douglas E. Engert" <deengert@anl.gov>
- Re: preauth_always option?
  - From: Ken Raeburn <raeburn@MIT.EDU>

Prev by Date: Re: Last login incorrect
Next by Date: Re: Last login incorrect
Prev by thread: Re: preauth_always option?
Next by thread: Re: preauth_always option?
Index(es):
- Date
- Thread