[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: /etc/krb5.conf

johanna bromberg craig <canna@xxxxxxxxx> writes:
> Message-Id: <3329AC4B-0268-46F7-993C-C473C251A419@xxxxxxxxx>
> To: umce.linux@xxxxxxxxx
> From: johanna bromberg craig <canna@xxxxxxxxx>
> Subject: /etc/krb5.conf
> Date: Tue, 31 Jan 2006 21:17:02 -0500
> hey all,
> marcus recently brought a problem with the weblogin servers to the  
> cosign team's attention - basically these 2 lines in /etc/krb5.conf:
> 	default_tkt_enctypes = des-cbc-crc
> 	default_tgs_enctypes = des-cbc-crc
> these lines cause a certain number of users to get a  
> "preauthentication failed" error when they authenticate to https:// 
> weblogin.umich.edu. I've removed these lines on https://cosign- 
> test.www.umich.edu and this seems to have fixed the problem ( thanks,  
> Marcus :). I plan to propagate this fix out to the production  
> weblogin servers during a near future maintenance window.
> The reason I mention this to the group is that a "twhich -a" on the  
> weblogin servers shows an /etc/krb5.conf in both lfs base and in the  
> mit krb transcripts. I figured someone else might run into this  
> eventually, so here it is, on the table, for discussion and what not.
> -Johanna

Yes, we should be removing default_tkt_enctypes and
default_tgs_enctypes lines from krb5.conf.  This is a Good Thing(tm).

Just to be clear however, this doesn't (directly) break any real users
today.  The "user" it broke was one of 5 test IDs I created for the
purposes of testing out newly deployed kerberos 5 initial
authentication code, and is specifically intended to exercise preauth
and string-to-salt issues, so we know it should work right for
everybody and we don't need to bother them again soon.

The time when this actually matter is if we decide to phase DES out.
MIT strongly encourages sites to do this, with good reason.

Here's the part of the message I had sent to one guy talking
about this:
I've also created several kerberos principals for you
to experiment with:

tprei	Welliuming-	normal principal, no preauth
tpreii	Efetoryp	DES AFS only, <= 8 characters, preauth
tpreiii	Nogrushrulu8	DES AFS only, > 8 characters, preauth
tpreiv	netiospodE?	normal principal, preauth
tprev	Ebadsenvan?	DES3 only, preauth

If you can make your code work with all these principals,
then you should not have problems later on when we
turn on preauthentication for most users.

Please don't change any of these passwords; you'll break them,
and we'd like to share these with other k4/k5 service providers
in the near future.

Umce folks should feel free to use these ids to test authentication as
well.  That's why they exist.  :-)