Developing a preauth plugin
- Read RFC 4120
draft-ietf-krb-wg-preauth-framework(version 16 current as of 4/27/2010)
src/plugins/preauth/encrypted_challenge/*for a (tragically) comment-less implementation of a preauth plugin implemented using FAST
- ghudson's quick flow overview at http://mailman.mit.edu/pipermail/krbdev/2010-April/008891.html
- There is no way to require that a certain preauth method is used.
- Likewise, there is also no way to indicate a preferred preauth flow (method A, then B, then C).
- FAST-based preauth (see
draft-ietf-krb-wg-preauth-framework) support is largely unimplemented from a practical usage perspective at this point.
krbdev thread References for above:
Notes and Debugging Tips
DEBUGas part of your build to tickle logging of more info in your KDC log file (proabably
<syslog.h>, link against
kadm5<something>and make liberal use of
- Testing a FAST factor preauth plugin such as
- Make use of
- Make use of Wireshark (terminal-based command is
tsharkfor those without graphical environments) for examining network traffic.