Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Using PREAUTH on the initial AS_REQ
417 views
Skip to first unread message
Jack Neely
Sep 19, 2012, 4:07:47 PM9/19/12
to kerb...@mit.edu
Greetings,
I have a performance issue between my KDCs and our radius servers that
have very heavy authentication load. As our principles have PREAUTH
required there's much more RPC traffic to the KDCs than with PREAUTH
turned off. Combined with the kprop happening every 5 minutes our
radius servers sometimes encounter a 3 or 5 second delay, and with 600
requests a minute things quickly cascade.
How can I configure a RHEL 6 Kerberos client to use PREAUTH on the
initial AS_REQ? (We are just using PA-ENC-TIMESTAMP.) Testing with a
principle that does not require PREAUTH shows a marked performance
increase.
Secondly, my KDCs are getting quite a few PREAUTH_FAILED error messages
which seems to indicate the client used an PREAUTH type the KDC did not
understand. Will setting preferred_preauth_types in krb5.conf to use
PA-ENC-TIMESTAMP first correct this? What's the right incantation?
Jack Neely
--
Jack Neely <jjn...@ncsu.edu>
Linux Czar, OIT Campus Linux Services
Office of Information Technology, NC State University
GPG Fingerprint: 1917 5AC1 E828 9337 7AA4 EA6B 213B 765F 3B6A 5B89
I have a performance issue between my KDCs and our radius servers that
have very heavy authentication load. As our principles have PREAUTH
required there's much more RPC traffic to the KDCs than with PREAUTH
turned off. Combined with the kprop happening every 5 minutes our
radius servers sometimes encounter a 3 or 5 second delay, and with 600
requests a minute things quickly cascade.
How can I configure a RHEL 6 Kerberos client to use PREAUTH on the
initial AS_REQ? (We are just using PA-ENC-TIMESTAMP.) Testing with a
principle that does not require PREAUTH shows a marked performance
increase.
Secondly, my KDCs are getting quite a few PREAUTH_FAILED error messages
which seems to indicate the client used an PREAUTH type the KDC did not
understand. Will setting preferred_preauth_types in krb5.conf to use
PA-ENC-TIMESTAMP first correct this? What's the right incantation?
Jack Neely
--
Jack Neely <jjn...@ncsu.edu>
Linux Czar, OIT Campus Linux Services
Office of Information Technology, NC State University
GPG Fingerprint: 1917 5AC1 E828 9337 7AA4 EA6B 213B 765F 3B6A 5B89
Jack Neely
Sep 20, 2012, 3:09:22 PM9/20/12
to kerb...@mit.edu
On Wed, Sep 19, 2012 at 04:07:47PM -0400, Jack Neely wrote:
> Greetings,
>
> I have a performance issue between my KDCs and our radius servers that
> have very heavy authentication load. As our principles have PREAUTH
> required there's much more RPC traffic to the KDCs than with PREAUTH
> turned off. Combined with the kprop happening every 5 minutes our
> radius servers sometimes encounter a 3 or 5 second delay, and with 600
> requests a minute things quickly cascade.
>
> How can I configure a RHEL 6 Kerberos client to use PREAUTH on the
> initial AS_REQ? (We are just using PA-ENC-TIMESTAMP.) Testing with a
> principle that does not require PREAUTH shows a marked performance
> increase.
>
> Secondly, my KDCs are getting quite a few PREAUTH_FAILED error messages
> which seems to indicate the client used an PREAUTH type the KDC did not
> understand. Will setting preferred_preauth_types in krb5.conf to use
> PA-ENC-TIMESTAMP first correct this? What's the right incantation?
>
Nothing like replying to your own email. A network capture has reveled
> Greetings,
>
> I have a performance issue between my KDCs and our radius servers that
> have very heavy authentication load. As our principles have PREAUTH
> required there's much more RPC traffic to the KDCs than with PREAUTH
> turned off. Combined with the kprop happening every 5 minutes our
> radius servers sometimes encounter a 3 or 5 second delay, and with 600
> requests a minute things quickly cascade.
>
> How can I configure a RHEL 6 Kerberos client to use PREAUTH on the
> initial AS_REQ? (We are just using PA-ENC-TIMESTAMP.) Testing with a
> principle that does not require PREAUTH shows a marked performance
> increase.
>
> Secondly, my KDCs are getting quite a few PREAUTH_FAILED error messages
> which seems to indicate the client used an PREAUTH type the KDC did not
> understand. Will setting preferred_preauth_types in krb5.conf to use
> PA-ENC-TIMESTAMP first correct this? What's the right incantation?
>
what's happening with the PREAUTH_FAILED error messages. My newer
clients (krb5 1.9 on RHEL 6) is sending an AS_REQ to my KDCs with a
preauthentication data of type PA-REQ-ENC-PA-REP (149).
My KDCs are RHEL 5 running krb5 1.6.1 and in this case return error code
KRB5KDC_ERR_PREAUTH_FAILED (24). At this point the client tries an
AS_REQ with either no preauth or PA-ENC-TIMESTAMP.
As my 1.6.1 KDC doesn't support the PA-REQ-ENC-PA-REP extension,
shouldn't it be ignoring the preauth data rather than returning an
error?
Greg Hudson
Sep 20, 2012, 3:47:30 PM9/20/12
to Jack Neely, kerb...@mit.edu
On 09/19/2012 04:07 PM, Jack Neely wrote:
> How can I configure a RHEL 6 Kerberos client to use PREAUTH on the
> initial AS_REQ? (We are just using PA-ENC-TIMESTAMP.)
Unfortunately, you can't, unless you control the code which is getting
> How can I configure a RHEL 6 Kerberos client to use PREAUTH on the
> initial AS_REQ? (We are just using PA-ENC-TIMESTAMP.)
initial tickets. If you're just using stock kinit or the like, there's
no runtime configuration option to do optimistic preauthentication.
If you do control the code which is getting initial tickets, you can use
krb5_get_init_creds_opt_set_preauth_list() to set a list of preauth
types to try optimistically.
> As my 1.6.1 KDC doesn't support the PA-REQ-ENC-PA-REP extension,
> shouldn't it be ignoring the preauth data rather than returning an
> error?
Alejandro Perez Mendez
Sep 20, 2012, 4:19:02 PM9/20/12
to kerb...@mit.edu
El 20/09/12 21:47, Greg Hudson escribi�:
> On 09/19/2012 04:07 PM, Jack Neely wrote:
>> How can I configure a RHEL 6 Kerberos client to use PREAUTH on the
>> initial AS_REQ? (We are just using PA-ENC-TIMESTAMP.)
> Unfortunately, you can't, unless you control the code which is getting
> initial tickets. If you're just using stock kinit or the like, there's
> no runtime configuration option to do optimistic preauthentication.
>
> If you do control the code which is getting initial tickets, you can use
> krb5_get_init_creds_opt_set_preauth_list() to set a list of preauth
> types to try optimistically.
Hi,
>> How can I configure a RHEL 6 Kerberos client to use PREAUTH on the
>> initial AS_REQ? (We are just using PA-ENC-TIMESTAMP.)
> Unfortunately, you can't, unless you control the code which is getting
> initial tickets. If you're just using stock kinit or the like, there's
> no runtime configuration option to do optimistic preauthentication.
>
> If you do control the code which is getting initial tickets, you can use
> krb5_get_init_creds_opt_set_preauth_list() to set a list of preauth
> types to try optimistically.
check the following commit I performed some weeks ago, as part of my GSS
Preauth plugin. I needed exactly the same so I implemented the
functionality.
https://github.com/alejandro-perez/krb5/commit/026b76a1208b4e3304e9477a897c6fb798cbc661
After applying this patch, just use -u option with the PA_DATA number
along with your "kinit" command, as explained in this file
https://github.com/alejandro-perez/krb5/blob/gsspreauth/src/plugins/preauth/gssapi/README.txt
Regards
>
>> As my 1.6.1 KDC doesn't support the PA-REQ-ENC-PA-REP extension,
>> shouldn't it be ignoring the preauth data rather than returning an
>> error?
> It should, and a 1.7 or later KDC will do so.
>
> Kerberos mailing list Kerb...@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
Will Fiveash
Sep 20, 2012, 4:22:48 PM9/20/12
to Greg Hudson, kerb...@mit.edu
On Thu, Sep 20, 2012 at 03:47:30PM -0400, Greg Hudson wrote:
> On 09/19/2012 04:07 PM, Jack Neely wrote:
> > How can I configure a RHEL 6 Kerberos client to use PREAUTH on the
> > initial AS_REQ? (We are just using PA-ENC-TIMESTAMP.)
>
> Unfortunately, you can't, unless you control the code which is getting
> initial tickets. If you're just using stock kinit or the like, there's
> no runtime configuration option to do optimistic preauthentication.
>
> If you do control the code which is getting initial tickets, you can use
> krb5_get_init_creds_opt_set_preauth_list() to set a list of preauth
> types to try optimistically.
Note, if the princ record in the KDB doesn't contain a key for the
> On 09/19/2012 04:07 PM, Jack Neely wrote:
> > How can I configure a RHEL 6 Kerberos client to use PREAUTH on the
> > initial AS_REQ? (We are just using PA-ENC-TIMESTAMP.)
>
> Unfortunately, you can't, unless you control the code which is getting
> initial tickets. If you're just using stock kinit or the like, there's
> no runtime configuration option to do optimistic preauthentication.
>
> If you do control the code which is getting initial tickets, you can use
> krb5_get_init_creds_opt_set_preauth_list() to set a list of preauth
> types to try optimistically.
enctype used to protect the preauth data in the AS_REQ the KDC will send
back an error and the show is over at that point. I learned this the
hard way when I modified pam_krb5 to do optimistic preauth (I had to
remove that logic).
--
Will Fiveash
Oracle Solaris Software Engineer
http://opensolaris.org/os/project/kerberos/
Sent using mutt, a sweet, text based e-mail app <http://www.mutt.org/>
0 new messages