[OpenAFS] does cross-realm aklog require REQUIRES_PRE_AUTH
attribute?
Simon Wilkinson
sxw@inf.ed.ac.uk
Sat, 5 May 2007 23:19:08 +0100 (BST)
On Sat, 5 May 2007, Adam Megacz wrote:
>
> I've found that when doing cross-realm trust between two AFS cells
> (both in MIT KDC realms), the foreign-realm principal trying to
> acquire tokens in the local realm must have REQUIRES_PRE_AUTH as an
> attribute in his/her realm in order for aklog to work.
I've found this happens if the cross realm krbtgt principal has requires
preauth set. I don't think its a feature of aklog.
However, you really should be using requires preauth on anything that's
key would be vulnerable to a dictionary attack.
Simon.