[krbdev.mit.edu #8676] RFE: [realms] should support an "always_use_preauth" option

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[krbdev.mit.edu #8676] RFE: [realms] should support an "always_use_preauth" option

Greg Hudson via RT-2
Anyone who has watched the MIT Kerberos library speak to a Microsoft
Active Directory KDC knows that performing a simple kinit requires a
13-packet exchange:

    ---------------------------------------------------------
    packet              TCP                          Kerberos
    number  who  proto  options                      protocol
    ---------------------------------------------------------
         1    C  UDP                      AS-REQ (no preauth)
         2    S  UDP                 KRB5KDC_PREAUTH_REQUIRED
         3    C  UDP                    AS-REQ (with preauth)
         4    S  UDP             KRB5KRB_ERR_RESPONSE_TOO_BIG
         5    C  TCP    SYN
         6    S  TCP    SYN/ACK
         7    C  TCP    ACK
         8    C  TCP    PSH/ACK         AS-REQ (with preauth)
         9    S  TCP    PSH/ACK                        AS-REP
        10    C  TCP    ACK
        11    C  TCP    FIN/ACK
        12    S  TCP    ACK
        13    S  TCP    RST/ACK
    ---------------------------------------------------------

The first (UDP-based) exchange fails because the MIT Kerberos library
doesn't use preauth.  The second exchange fails because virtually all
responses from a Microsoft Active Directory KDC will include a PAC,
and thus will be unable to fit within a UDP packet.

There is a [libdefaults] option, udp_preference_limit, that can be
used to tell the MIT Kerberos library to always use TCP instead of
UDP.  But when speaking to an Active Directory KDC, setting that
option to 0 (to always force TCP) in fact makes the exchange *worse*,
not better:

    ---------------------------------------------------------
    packet              TCP                          Kerberos
    number  who  proto  options                      protocol
    ---------------------------------------------------------
         1    C  TCP    SYN
         2    S  TCP    SYN/ACK
         3    C  TCP    ACK
         4    C  TCP    PSH/ACK           AS-REQ (no preauth)
         5    S  TCP    PSH/ACK      KRB5KDC_PREAUTH_REQUIRED
         6    C  TCP    ACK
         7    C  TCP    FIN/ACK
         8    S  TCP    ACK
         9    S  TCP    RST/ACK
        10    C  TCP    SYN
        11    S  TCP    SYN/ACK
        12    C  TCP    ACK
        13    C  TCP    PSH/ACK         AS-REQ (with preauth)
        14    S  TCP    PSH/ACK                        AS-REP
        15    C  TCP    ACK
        16    C  TCP    FIN/ACK
        17    S  TCP    ACK
        18    S  TCP    RST/ACK
    ---------------------------------------------------------

Rather than taking 2 UDP packets to discover that preauth is required,
it takes 9 TCP packets.

If there were a [realms]-specific option for the administrator to tell
the MIT Kerberos library that a specific realm *always* requires
preauth, then the useless KRB5KDC_PREAUTH_REQUIRED exchange (2 UDP
packets or 9 TCP packets) could be avoided.  Combined with setting
udp_preference_limit, this could meaningfully reduce the packet
exchange count required for an initial kinit:

    ---------------------------------------------------------
    packet              TCP                          Kerberos
    number  who  proto  options                      protocol
    ---------------------------------------------------------
         1    C  TCP    SYN
         2    S  TCP    SYN/ACK
         3    C  TCP    ACK
         4    C  TCP    PSH/ACK         AS-REQ (with preauth)
         5    S  TCP    PSH/ACK                        AS-REP
         6    C  TCP    ACK
         7    C  TCP    FIN/ACK
         8    S  TCP    ACK
         9    S  TCP    RST/ACK
    ---------------------------------------------------------

Therefore, please consider adding a [realms]-specific option to force
the MIT Kerberos libraries to always use preauth when talking to the
KDCs for the realm in question.

_______________________________________________
krb5-bugs mailing list
[hidden email]
https://mailman.mit.edu/mailman/listinfo/krb5-bugs