From krb5-bugs-incoming-bounces@PCH.mit.edu Mon Apr 30 11:16:02 2018 Return-Path: Received: from PCH.mit.edu (PCH.MIT.EDU [18.7.21.50]) by krbdev.mit.edu (Postfix) with ESMTPS id 0420B4445B; Mon, 30 Apr 2018 11:16:01 -0400 (EDT) Received: from PCH.MIT.EDU (localhost.localdomain [127.0.0.1]) by PCH.mit.edu (8.13.8/8.12.8) with ESMTP id w3UFG1tp027693; Mon, 30 Apr 2018 11:16:01 -0400 Received: from mailhub-dmz-3.mit.edu (MAILHUB-DMZ-3.MIT.EDU [18.9.21.42]) by PCH.mit.edu (8.13.8/8.12.8) with ESMTP id w3II8spW003295 for ; Wed, 18 Apr 2018 14:08:54 -0400 Received: from dmz-mailsec-scanner-8.mit.edu (DMZ-MAILSEC-SCANNER-8.MIT.EDU [18.7.68.37]) by mailhub-dmz-3.mit.edu (8.13.8/8.9.2) with ESMTP id w3II8q42025123 for ; Wed, 18 Apr 2018 14:08:53 -0400 X-Auditid: 12074425-72fff70000007d65-85-5ad7887a956d Received: from pb-smtp1.pobox.com (pb-smtp1.pobox.com [64.147.108.70]) (using TLS with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-8.mit.edu (Symantec Messaging Gateway) with SMTP id 2E.FC.32101.B7887DA5; Wed, 18 Apr 2018 14:03:39 -0400 (EDT) Received: from pb-smtp1.pobox.com (unknown [127.0.0.1]) by pb-smtp1.pobox.com (Postfix) with ESMTP id 1D38BE944A for ; Wed, 18 Apr 2018 14:03:37 -0400 (EDT) Dkim-Signature: v=1; a=rsa-sha1; c=relaxed; d=pobox.com; h=mime-version :from:date:message-id:subject:to:content-type; s=sasl; bh=sBjaoj 5xIH1T5xTFMzgeI1B4yfc=; b=sJSF1aWZHJn8coiSUR/CjGY4tSuBVcM+hw875A RRV2gsAGSR7MyiLTi5PKahCYMIopOBkHDtDraGJt1XFCHnxgl7U/9VQoqvyJtvOr mGI5aWqtso7/8uxPlCEHmNonFPPZbmFZ2pc3z7CgnGUDtY96gIs/S0nPppVd/veL wq6nE= Domainkey-Signature: a=rsa-sha1; c=nofws; d=pobox.com; h=mime-version :from:date:message-id:subject:to:content-type; q=dns; s=sasl; b= RXL9Ictj3ANULx1NPP808JvAfoUC/tIUQQEfvVRkNSRGxENxJtkp/nlp/G0+N9G4 f/TnaJOMvby8taM+8BWZHt/LDcI9ZMsLWGaRcBVBIzCxUMpZ0iHgeTlL7MKWfwTS vWuaUzhRDqQEpqSHLi14bldv0a80t+4NAqEFr47V5fk= Received: from pb-smtp1.nyi.icgroup.com (unknown [127.0.0.1]) by pb-smtp1.pobox.com (Postfix) with ESMTP id 05EA6E9447 for ; Wed, 18 Apr 2018 14:03:37 -0400 (EDT) Received: from mail-wr0-f176.google.com (unknown [209.85.128.176]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pb-smtp1.pobox.com (Postfix) with ESMTPSA id 75190E9444 for ; Wed, 18 Apr 2018 14:03:36 -0400 (EDT) Received: by mail-wr0-f176.google.com with SMTP id d1-v6so7175938wrj.13 for ; Wed, 18 Apr 2018 11:03:36 -0700 (PDT) X-GM-Message-State: ALQs6tBxBl7k6w4hi8DGf4i+W79it8P9Hl5E3nMA9X/n27qcfQHUk6eZ ns5V8y0LRxa1lsVm3LAd4uXZmm93fdYjiC4FsnE= X-Google-SMTP-Source: AIpwx4/1vMTX+NlWZPzajXRjdlB/i3T3e6d5Tef8CYBnot5OU49QcYSBpLG/AV4o7UJOwqurbfRY6LOYhDA4fHOUI9c= X-Received: by 2002:adf:9615:: with SMTP id b21-v6mr2507391wra.253.1524074615497; Wed, 18 Apr 2018 11:03:35 -0700 (PDT) MIME-Version: 1.0 Received: by 10.223.145.198 with HTTP; Wed, 18 Apr 2018 11:03:34 -0700 (PDT) From: James Ralston Date: Wed, 18 Apr 2018 14:03:34 -0400 X-Gmail-Original-Message-ID: Message-ID: Subject: RFE: [realms] should support an "always_use_preauth" option To: krb5-bugs@mit.edu Content-Type: text/plain; charset="UTF-8" X-Pobox-Relay-ID: D0C73E1A-4332-11E8-A55C-44CE1968708C-52429198!pb-smtp1.pobox.com Authentication-Results: symauth.service.identifier X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrIKsWRWlGSWpSXmKPExsXiMDnHTbe643qUwf9/JhYND4+zOzB6NJ05 yhzAGMVlk5Kak1mWWqRvl8CV8f+YT8FLuYpZ89ewNjBeFOpi5OSQEDCR+D1xM2MXIxeHkMBe JonvX26yQjibGSUW7WlmAXFYBO4wSbS9PsQG4QCVPfw9lQ2ibCejxJJdh1hBhgkJrGWSOH9L G8LuZ5RY81IBYkm5xM0ri5gh7CKJ1z+mAdkcQHalxIln4iBhXgFBiZMzn7BAtPpILP97D8xm E1CX2H/5DDuIzSKgKrFm6jFGiDGJEmcur2aE6A2Q2HvhNFiNsICLxJQLW8FsEQFRiZd/j4HN YRbQlGjd/psdojdE4vniE2AnMwoYSew+94p1AqPYLCRnzELSsoCRaRWjbEpulW5uYmZOcWqy bnFyYl5eapGuhV5uZoleakrpJkZgPAixu6juYJzz1+sQowAHoxIPb4L/9Sgh1sSy4srcQ4yS HExKorznrYFCfEn5KZUZicUZ8UWlOanFhxglOJiVRHh3Pr4SJcSbklhZlVqUD5OS5mBREudd vH9vlJBAemJJanZqakFqEUyWiYP9EKMMB4eSBO/UdqDJgkWp6akVaZk5JchqOEEEF8gaHqA1 i0AKeYsLEnOLM9Mhik4xWnIsedrdw8zxqa0HSC7YMqmHWYglLz8vVUqcdylIgwBIQ0ZpHtxg WMq7xCgrJczLyMDAIMQDdBkwQFDlXzGKAwNDmHcdyBSezLwSuK2vgA5iAjromjHI38UliQgp qQbGuJTr3xJONUn6n2J+9ulxiXcYj9uzhxcOnp7e0/Dh92EhnX1X16Q9edoaLTu/2iDxzZcu De+EU7dL72ybZPPk4/8JdycUG3jIfDvLuLjkjf9b4afJ969viZJzzfD7vGhuX0mhs0rDJ6nw dUbKax+WttnWOZtu7ErkSt0z53/Q5d6Z2dE/GLUPKrEUZyQaajEXFScCANI59HN0AwAA X-Mailman-Approved-At: Mon, 30 Apr 2018 11:16:00 -0400 X-Beenthere: krb5-bugs-incoming@mailman.mit.edu X-Mailman-Version: 2.1.6 Precedence: list Sender: krb5-bugs-incoming-bounces@PCH.mit.edu Errors-To: krb5-bugs-incoming-bounces@PCH.mit.edu Content-Length: 3859 Anyone who has watched the MIT Kerberos library speak to a Microsoft Active Directory KDC knows that performing a simple kinit requires a 13-packet exchange: --------------------------------------------------------- packet TCP Kerberos number who proto options protocol --------------------------------------------------------- 1 C UDP AS-REQ (no preauth) 2 S UDP KRB5KDC_PREAUTH_REQUIRED 3 C UDP AS-REQ (with preauth) 4 S UDP KRB5KRB_ERR_RESPONSE_TOO_BIG 5 C TCP SYN 6 S TCP SYN/ACK 7 C TCP ACK 8 C TCP PSH/ACK AS-REQ (with preauth) 9 S TCP PSH/ACK AS-REP 10 C TCP ACK 11 C TCP FIN/ACK 12 S TCP ACK 13 S TCP RST/ACK --------------------------------------------------------- The first (UDP-based) exchange fails because the MIT Kerberos library doesn't use preauth. The second exchange fails because virtually all responses from a Microsoft Active Directory KDC will include a PAC, and thus will be unable to fit within a UDP packet. There is a [libdefaults] option, udp_preference_limit, that can be used to tell the MIT Kerberos library to always use TCP instead of UDP. But when speaking to an Active Directory KDC, setting that option to 0 (to always force TCP) in fact makes the exchange *worse*, not better: --------------------------------------------------------- packet TCP Kerberos number who proto options protocol --------------------------------------------------------- 1 C TCP SYN 2 S TCP SYN/ACK 3 C TCP ACK 4 C TCP PSH/ACK AS-REQ (no preauth) 5 S TCP PSH/ACK KRB5KDC_PREAUTH_REQUIRED 6 C TCP ACK 7 C TCP FIN/ACK 8 S TCP ACK 9 S TCP RST/ACK 10 C TCP SYN 11 S TCP SYN/ACK 12 C TCP ACK 13 C TCP PSH/ACK AS-REQ (with preauth) 14 S TCP PSH/ACK AS-REP 15 C TCP ACK 16 C TCP FIN/ACK 17 S TCP ACK 18 S TCP RST/ACK --------------------------------------------------------- Rather than taking 2 UDP packets to discover that preauth is required, it takes 9 TCP packets. If there were a [realms]-specific option for the administrator to tell the MIT Kerberos library that a specific realm *always* requires preauth, then the useless KRB5KDC_PREAUTH_REQUIRED exchange (2 UDP packets or 9 TCP packets) could be avoided. Combined with setting udp_preference_limit, this could meaningfully reduce the packet exchange count required for an initial kinit: --------------------------------------------------------- packet TCP Kerberos number who proto options protocol --------------------------------------------------------- 1 C TCP SYN 2 S TCP SYN/ACK 3 C TCP ACK 4 C TCP PSH/ACK AS-REQ (with preauth) 5 S TCP PSH/ACK AS-REP 6 C TCP ACK 7 C TCP FIN/ACK 8 S TCP ACK 9 S TCP RST/ACK --------------------------------------------------------- Therefore, please consider adding a [realms]-specific option to force the MIT Kerberos libraries to always use preauth when talking to the KDCs for the realm in question.