Hey all. At the day job, we found that a user was able to log in to one system, but not another -- and the difference was that everyone who *could* log in had the requires_preauth attribute set on their principal, and newu...@dom.ain didn't. This was with password, not GSSAPI authentication (KerberosAuthentication yes; UsePAM no)
Both hosts were FreeBSD, running 11.4-RELEASE-patchlevelwhatever with the default sshd. Nearly identical sshd_configs. Both had all the right DNS. Having figured that out, we went down the rabbit hole of figuring out what was different about the hosts: One of the *hosts* kerberos entries, (the one they couldn't log into), also had REQUIRES_PRE_AUTH set. Now, I've only loosely understood what REQUIRES_PRE_AUTH does. It's an offline attack prevention thing. Reading the O'Reilly Kerberos bit made it a bit clearer, and this page made it quite clear: https://ldapwiki.com/wiki/Kerberos%20Pre-Authentication None of those docs were on the MIT website. This (confusing) page is the only mention I could find in the first page of google results on the mit website for "Kerberos Preauth": https://web.mit.edu/kerberos/krb5-1.12/doc/plugindev/clpreauth.html And nowhere (except on a mailing list post I just found after solving the problem) does it say that if you set it on a host, you *must* set it on a user. Nothing mentions ssh. That could all be made clearer. https://comp.protocols.kerberos.narkive.com/8TmACXy8/gssapidelegatecredentials-only-works-for-requires-pre-auth-principals I'm posting this so that hopefully someone in the future will find this. Now, my questions for y'all: 1) Is my "if it's on the host entry, it must be on the user entry" basically accurate? 2) Preauth is a good thing. We need to go through and set requires_pre_auth for every host/f...@dom.aim entry and u...@dom.ain entry on our kdc. I can't find a way to list all princs that have (or don't have) a given attribute. Is there a way? 3) Is there a way to mass set these attributes? 4) Is there a way to make these attributes *the default* when adding a new princ? I can define a policy, but not an attribute-set for that policy. Best, -Dan -- --------Dan Mahoney-------- Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC FB: fb.com/DanielMahoneyIV LI: linkedin.com/in/gushi Site: http://www.gushi.org --------------------------- ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
