[28058] in Kerberos

home help back first fref pref prev next nref lref last post

Re: Preauth mechanism provision in MIT kerberos

daemon@ATHENA.MIT.EDU (John Washington)
Wed Jul 18 09:52:08 2007

Date: Wed, 18 Jul 2007 08:46:49 -0500
From: John Washington <jawashin@uiuc.edu>
To: Mike Dopheide <dopheide@ncsa.uiuc.edu>
Message-ID: <20070718134649.GE10596@localhost>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <469E119D.1030402@ncsa.uiuc.edu>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu

Well, you do that and set it as a default for all new priciples.

* Mike Dopheide <dopheide@ncsa.uiuc.edu> [2007-07-18 08:22]:
> For an existing principal you can enable preauth from kadmin with:
> 
> modprinc +requires_preauth principalname
> 
> I don't know of a way to enable preauth globally aside from setting it 
> for each principal.
> 
> -Mike
> 
> Gopal Paliwal wrote:
> > Hi Friends,
> > 
> > Recently I set up the whole kerberos system using MIT kerberos 1.6.1. When I
> > run the kinit command i observe the results on ethereal.
> > Following is my observation:
> > $>kinit <username>
> > I observe that as soon as I enter above command, ethereal captures 2 packets
> > namely KRB5_AS_REQ and KRB5_AS_RES. After that I type pasword at my end to
> > whuch is used to decrypt the session key(between TGS & Client), I get in
> > response.
> > 
> > I assume that for the above case "pre-auth mehanism" in kerberos is not
> > activated. Even when I look at the code & RFC, I observe that preauth
> > mechanism is optional.
> > 
> > I wish to activate this mechanism for my set-up so that the password
> > generated key will be used to encrypt the time-stamp at the client side and
> > this encrypted stamp will be carried by the KRB5_AS_REQ to authentication
> > server.
> > That means I should see above message flow on the ethereal only when the
> > user types both its username and password for kinit command.
> > 
> > Could any one tell me how do I activate this preauth mechanism in my
> > kerberos if my above assumption is on the correct track. And also point out
> > the files I need to change to activate this mechanism.
> > 
> > Thanks in advance.
> > 
> > Regards,
> > Gopal Paliwal
> > ________________________________________________
> > Kerberos mailing list           Kerberos@mit.edu
> > https://mailman.mit.edu/mailman/listinfo/kerberos
> > 
> > 
> ________________________________________________
> Kerberos mailing list           Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos

-- 
John Washington       Security Officer, 
University of Illinois Urbana-Champaign
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

home help back first fref pref prev next nref lref last post