[28063] in Kerberos

home help back first fref pref prev next nref lref last post

Re: Preauth mechanism provision in MIT kerberos

daemon@ATHENA.MIT.EDU (Marcus Watts)
Wed Jul 18 15:48:39 2007

to: kerberos@mit.edu
In-reply-to: <20070718134649.GE10596@localhost> 
Date: Wed, 18 Jul 2007 15:34:43 -0400
From: Marcus Watts <mdw@spam.ifs.umich.edu>
Message-Id: <E1IBFIJ-0003Lt-5D@spam.ifs.umich.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu

John Washington <jawashin@uiuc.edu> sent:
> Date:    Wed, 18 Jul 2007 08:46:49 CDT
> To:      Mike Dopheide <dopheide@ncsa.uiuc.edu>
> cc:      kerberos@mit.edu
> From:    John Washington <jawashin@uiuc.edu>
> Subject: Re: Preauth mechanism provision in MIT kerberos
...
> Well, you do that and set it as a default for all new priciples.
...

The only way to set it for existing principals is via 'modprinc'.
For new principals, you can set "default_principal_flags"
inside of kdc.conf [realms] your-realm {}, something like this:
...
		acl_file = /var/krb5kdc/kadm5.acl
                max_renewable_life = 7d 0h 0m 0s
                master_key_type = des-cbc-crc
                default_principal_flags = +preauth
...

Note that default_principal_flags is not necessarily
the default for principals you create for keytabs.
Also note that you may not *want* preauth for keytab principals;
it that's set, the keytab isn't useable by principals that
for some reason did not authenticate using preauth.

					-Marcus Watts
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

home help back first fref pref prev next nref lref last post