Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

configure Kerberos client to always send (timestamp) preauthentication

499 views
Skip to first unread message

Wood, Justin S

unread,
Feb 3, 2003, 1:38:09 AM2/3/03
to
Hello,
Apologies if this is a dumb question - I've searched and searched but cant find an answer: is there any way to configure the (MIT?) Kerberos client[1] to always send "PA-ENC-TIMESTAMP" preauthentication with the initial 'AS-REQ' interaction?

I'm simply trying to remove the duplication when using a W2K Active Directory KDC whereby the first AS-REQ results in a KRB-ERROR response indicating "KRB5KDC_ERR_PREAUTH_REQUIRED" (and I believe at this point kinit requests the password?); the AS-REQ is resent, this time using the timestamp preauthentication, and a TGT is granted successfully ('AS-REP').

Perhaps I've missed the point, but should it not be possible to configure the client to always send preauth, and hence remove the initial redundant protocol interaction?

Any help much appreciated.

[1] I'm using Redhat 8.0 with Kerberos 1.2.5-8 client

PS - I would never have known this was occuring if it wasnt for the security failure audits on the W2K Domain Controller indicating "Additional pre-authentication required", error code 0x19; this is then followed by the successful granting of a TGT for the target principal.

--
Justin Wood, Directory Specialist
Directory Technologies, H&I
Telstra Technology

________________________________________________
Kerberos mailing list Kerb...@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Sam Hartman

unread,
Feb 3, 2003, 9:28:29 AM2/3/03
to kerb...@mit.edu
>>>>> "Wood," == Wood, Justin S <Justin...@team.telstra.com> writes:
Wood,> Perhaps I've missed the point, but should it not be
Wood,> possible to configure the client to always send preauth,
Wood,> and hence remove the initial redundant protocol
Wood,> interaction?

I believe that current APIs allow this, but kinit does not currently
implement that feature.

In future, it will be less useful as the client will need more
information from the KDC to make a correct guess about what preauth or
encryption types to use.

So you should not expect to see anyone actually exposing this support
in kinit.

swbell

unread,
Feb 3, 2003, 10:50:33 AM2/3/03
to
I assume the API that allows this is
krb5_get_init_creds_password,
And the associated krb5_get_init_creds_opt_set_preauth_list.

Where is there documentation on putting stuff in the preauth list?

My Active Directory domain controller (Windows 2003) wants three preauth
types (debug output below):

salt len=-1; preauth data types: 11 2 15
etype info 0: etype 3 salt len=17 'KERYGMA.ORGnelson>\xef\xbf\xbd9'
etype info 1: etype 1 salt len=17 'KERYGMA.ORGnelson'

It looks like you could always guess that the salt is the realm with the
username concatenated.

These correspond to
KRB5_PADATA_ETYPE_INFO, KRB5_PADATA_ENC_TIMESTAMP, and 15 is not
documented (??)

Anyone know about PADATA type 15?

in article 87d6m9x...@luminous.mit.edu, Sam Hartman at hart...@mit.edu
wrote on 2/3/03 8:28 AM:

swbell

unread,
Feb 3, 2003, 12:49:00 PM2/3/03
to
This is the minimum code to keep Active Directory from putting Failure Audit
stuff in the event long:

krb5_preauthtype preauth[] = { KRB5_PADATA_ENC_TIMESTAMP };
krb5_enctype etypes[] = {ENCTYPE_DES_CBC_MD5};
memset( outOptions, 0, sizeof(*outOptions) );
krb5_get_init_creds_opt_init(outOptions);
krb5_get_init_creds_opt_set_address_list(outOptions, NULL);
krb5_get_init_creds_opt_set_etype_list( outOptions, etypes,
sizeof(etypes)/sizeof(krb5_enctype) );
krb5_get_init_creds_opt_set_preauth_list(outOptions, preauth,
sizeof(preauth)/sizeof(krb5_preauthtype) );

in article BA63EBE9.9F84%kery...@swbell.net, swbell at kery...@swbell.net
wrote on 2/3/03 9:50 AM:

0 new messages