Skip Menu |
 

From: Sam Hartman <hartmans@MIT.EDU>
To: Nicolas Williams <Nicolas.Williams@oracle.com>, krb5-bugs@MIT.EDU
Subject: document preferred_preauth_types
Date: Tue, 28 Sep 2010 08:49:49 -0400
CC: Russ Allbery <rra@stanford.edu>

In a discussion on krbdev, Nico told Russ that krb5.conf could force
preauth.
Russ said he was unaware of that option; Nico thought he must have been
mistaken.
However, Quoting get_in_tkt.c:

ret = krb5int_libdefault_string(context, realm,
KRB5_CONF_PREFERRED_PREAUTH\
_TYPES,
&preauth_types);



This option should be documented.


--Sam
Date: Tue, 28 Sep 2010 09:56:00 -0500
From: Nicolas Williams <Nicolas.Williams@oracle.com>
To: Sam Hartman <hartmans@MIT.EDU>
Subject: Re: document preferred_preauth_types
CC: Russ Allbery <rra@stanford.edu>, krb5-bugs@MIT.EDU
On Tue, Sep 28, 2010 at 08:49:49AM -0400, Sam Hartman wrote:
Show quoted text
> In a discussion on krbdev, Nico told Russ that krb5.conf could force
> preauth.
> Russ said he was unaware of that option; Nico thought he must have been
> mistaken.
> However, Quoting get_in_tkt.c:
>
> ret = krb5int_libdefault_string(context, realm,
> KRB5_CONF_PREFERRED_PREAUTH\
> _TYPES,
> &preauth_types);

Reading the code I got the impression that this ony works when the KDC
requires pre-auth.

Show quoted text
> This option should be documented.

It should be, yes.

Nico
--
To: rt@krbdev.MIT.EDU
Subject: Re: [krbdev.mit.edu #6788] document preferred_preauth_types
From: Tom Yu <tlyu@MIT.EDU>
Date: Tue, 22 Feb 2011 15:14:37 -0500
RT-Send-Cc:
"Sam Hartman via RT" <rt-comment@krbdev.mit.edu> writes:

Show quoted text
> In a discussion on krbdev, Nico told Russ that krb5.conf could force
> preauth.
> Russ said he was unaware of that option; Nico thought he must have been
> mistaken.
> However, Quoting get_in_tkt.c:
>
> ret = krb5int_libdefault_string(context, realm,
> KRB5_CONF_PREFERRED_PREAUTH\
> _TYPES,
> &preauth_types);
>
>
>
> This option should be documented.

Do you have suggested text?
By my reading of the code, that variable doesn't do what Sam thinks it
does. It affects the sort order of the preauth list (and the default
value is what causes PKINIT to be used in preference to mechanisms which
would prompt for the password, like encrypted timestamp), but it doesn't
cause optimistic preauth.