For an existing principal you can enable preauth from kadmin with: modprinc +requires_preauth principalname
I don't know of a way to enable preauth globally aside from setting it for each principal. -Mike Gopal Paliwal wrote: > Hi Friends, > > Recently I set up the whole kerberos system using MIT kerberos 1.6.1. When I > run the kinit command i observe the results on ethereal. > Following is my observation: > $>kinit <username> > I observe that as soon as I enter above command, ethereal captures 2 packets > namely KRB5_AS_REQ and KRB5_AS_RES. After that I type pasword at my end to > whuch is used to decrypt the session key(between TGS & Client), I get in > response. > > I assume that for the above case "pre-auth mehanism" in kerberos is not > activated. Even when I look at the code & RFC, I observe that preauth > mechanism is optional. > > I wish to activate this mechanism for my set-up so that the password > generated key will be used to encrypt the time-stamp at the client side and > this encrypted stamp will be carried by the KRB5_AS_REQ to authentication > server. > That means I should see above message flow on the ethereal only when the > user types both its username and password for kinit command. > > Could any one tell me how do I activate this preauth mechanism in my > kerberos if my above assumption is on the correct track. And also point out > the files I need to change to activate this mechanism. > > Thanks in advance. > > Regards, > Gopal Paliwal > ________________________________________________ > Kerberos mailing list Kerberos@mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > > ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos