K5Wiki - User contributions [en]

Developing a preauth plugin

2010-05-05T13:31:44Z

Jblaine: /* Pre-authentication Limitations */

== Recommended Reading ==
* Read RFC 4210
* Read <code>draft-ietf-krb-wg-preauth-framework</code> (version 16 current as of 4/27/2010)
* Read <code>src/include/krb5/preauth_plugin.h</code>
* Read <code>src/plugins/preauth/encrypted_challenge/*</code> for a (tragically) comment-less implementation of a preauth plugin implemented using FAST
* ghudson's quick flow overview at http://mailman.mit.edu/pipermail/krbdev/2010-April/008891.html

== Pre-authentication Limitations ==
* There is no way to require that a certain preauth method is used.
* Likewise, there is also no way to indicate a preferred preauth flow (method A, then B, then C).
* FAST-based preauth (see <code>draft-ietf-krb-wg-preauth-framework</code>) support is largely unimplemented from a practical usage perspective at this point.

krbdev thread References for above:
* http://mailman.mit.edu/pipermail/krbdev/2010-April/008902.html
* http://mailman.mit.edu/pipermail/krbdev/2010-April/008933.html

== Notes and Debugging Tips ==
* Define <code>DEBUG</code> as part of your build to tickle logging of more info in your KDC log file (proabably <code>krb5kdc.log</code>).
* Include <code><syslog.h></code>, link against <code>kadm5<something></code> and make liberal use of <code>krb5_klog_syslog</code>
* Testing a FAST factor preauth plugin such as <code>encrypted-challenge</code> : http://mailman.mit.edu/pipermail/krbdev/2010-April/008935.html
* Make use of <code>preferred_preauth_types</code> in the <code>[libdefaults]</code> section of <code>krb5.conf</code>
* Make use of [http://www.wireshark.org/ Wireshark] (terminal-based command is <code>tshark</code> for those without graphical environments) for examining network traffic.

Developing a preauth plugin

2010-05-05T13:28:09Z

Jblaine: /* Pre-authentication Limitations */

== Recommended Reading ==
* Read RFC 4210
* Read <code>draft-ietf-krb-wg-preauth-framework</code> (version 16 current as of 4/27/2010)
* Read <code>src/include/krb5/preauth_plugin.h</code>
* Read <code>src/plugins/preauth/encrypted_challenge/*</code> for a (tragically) comment-less implementation of a preauth plugin implemented using FAST
* ghudson's quick flow overview at http://mailman.mit.edu/pipermail/krbdev/2010-April/008891.html

== Pre-authentication Limitations ==
* There is no way to require that a certain preauth method is used.
* Likewise, there is also no way to indicate a preferred preauth flow (method A, then B, then C).
* FAST-based preauth (see <code>draft-ietf-krb-wg-preauth-framework</code>) support is largely unimplemented from a practical usage perspective at this point.

References for above: http://mailman.mit.edu/pipermail/krbdev/2010-April/008902.html

== Notes and Debugging Tips ==
* Define <code>DEBUG</code> as part of your build to tickle logging of more info in your KDC log file (proabably <code>krb5kdc.log</code>).
* Include <code><syslog.h></code>, link against <code>kadm5<something></code> and make liberal use of <code>krb5_klog_syslog</code>
* Testing a FAST factor preauth plugin such as <code>encrypted-challenge</code> : http://mailman.mit.edu/pipermail/krbdev/2010-April/008935.html
* Make use of <code>preferred_preauth_types</code> in the <code>[libdefaults]</code> section of <code>krb5.conf</code>
* Make use of [http://www.wireshark.org/ Wireshark] (terminal-based command is <code>tshark</code> for those without graphical environments) for examining network traffic.

Developing a preauth plugin

2010-05-05T13:27:33Z

Jblaine: /* Pre-authentication Limitations */

== Recommended Reading ==
* Read RFC 4210
* Read <code>draft-ietf-krb-wg-preauth-framework</code> (version 16 current as of 4/27/2010)
* Read <code>src/include/krb5/preauth_plugin.h</code>
* Read <code>src/plugins/preauth/encrypted_challenge/*</code> for a (tragically) comment-less implementation of a preauth plugin implemented using FAST
* ghudson's quick flow overview at http://mailman.mit.edu/pipermail/krbdev/2010-April/008891.html

== Pre-authentication Limitations ==
* There is no way to require that a certain preauth method is used.
* Likewise, there is also no way to indicate a preferred preauth flow (method A, then B, then C).
* FAST-based preauth support is largely unimplemented from a practical usage perspective at this point.

References for above: http://mailman.mit.edu/pipermail/krbdev/2010-April/008902.html

== Notes and Debugging Tips ==
* Define <code>DEBUG</code> as part of your build to tickle logging of more info in your KDC log file (proabably <code>krb5kdc.log</code>).
* Include <code><syslog.h></code>, link against <code>kadm5<something></code> and make liberal use of <code>krb5_klog_syslog</code>
* Testing a FAST factor preauth plugin such as <code>encrypted-challenge</code> : http://mailman.mit.edu/pipermail/krbdev/2010-April/008935.html
* Make use of <code>preferred_preauth_types</code> in the <code>[libdefaults]</code> section of <code>krb5.conf</code>
* Make use of [http://www.wireshark.org/ Wireshark] (terminal-based command is <code>tshark</code> for those without graphical environments) for examining network traffic.

Developing a preauth plugin

2010-05-05T13:24:48Z

Jblaine: /* Notes and Debugging Tips */

== Recommended Reading ==
* Read RFC 4210
* Read <code>draft-ietf-krb-wg-preauth-framework</code> (version 16 current as of 4/27/2010)
* Read <code>src/include/krb5/preauth_plugin.h</code>
* Read <code>src/plugins/preauth/encrypted_challenge/*</code> for a (tragically) comment-less implementation of a preauth plugin implemented using FAST
* ghudson's quick flow overview at http://mailman.mit.edu/pipermail/krbdev/2010-April/008891.html

== Pre-authentication Limitations ==
* There is no way to require that a certain preauth method is used.
* Likewise, there is also no way to indicate a preferred preauth flow (method A, then B, then C).

References for above: http://mailman.mit.edu/pipermail/krbdev/2010-April/008902.html

== Notes and Debugging Tips ==
* Define <code>DEBUG</code> as part of your build to tickle logging of more info in your KDC log file (proabably <code>krb5kdc.log</code>).
* Include <code><syslog.h></code>, link against <code>kadm5<something></code> and make liberal use of <code>krb5_klog_syslog</code>
* Testing a FAST factor preauth plugin such as <code>encrypted-challenge</code> : http://mailman.mit.edu/pipermail/krbdev/2010-April/008935.html
* Make use of <code>preferred_preauth_types</code> in the <code>[libdefaults]</code> section of <code>krb5.conf</code>
* Make use of [http://www.wireshark.org/ Wireshark] (terminal-based command is <code>tshark</code> for those without graphical environments) for examining network traffic.

Developing a preauth plugin

2010-05-05T13:22:20Z

Jblaine: /* Notes and Debugging Tips */

== Recommended Reading ==
* Read RFC 4210
* Read <code>draft-ietf-krb-wg-preauth-framework</code> (version 16 current as of 4/27/2010)
* Read <code>src/include/krb5/preauth_plugin.h</code>
* Read <code>src/plugins/preauth/encrypted_challenge/*</code> for a (tragically) comment-less implementation of a preauth plugin implemented using FAST
* ghudson's quick flow overview at http://mailman.mit.edu/pipermail/krbdev/2010-April/008891.html

== Pre-authentication Limitations ==
* There is no way to require that a certain preauth method is used.
* Likewise, there is also no way to indicate a preferred preauth flow (method A, then B, then C).

References for above: http://mailman.mit.edu/pipermail/krbdev/2010-April/008902.html

== Notes and Debugging Tips ==
* Define <code>DEBUG</code> as part of your build to tickle logging of more info in your KDC log file (proabably <code>krb5kdc.log</code>).
* Include <code><syslog.h></code>, link against <code>kadm5<something></code> and make liberal use of <code>krb5_klog_syslog</code>
* Testing a FAST factor preauth plugin such as <code>encrypted-challenge</code> : http://mailman.mit.edu/pipermail/krbdev/2010-April/008935.html
* Make use of <code>preferred_preauth_types</code> in the <code>[libdefaults]</code> section of <code>krb5.conf</code>
* Make use of [Wireshark | http://www.wireshark.org/] (terminal-based command is <code>tshark</code> for those without graphical environments) for examining network traffic.

Developing a preauth plugin

2010-04-30T16:44:45Z

Jblaine: /* Notes and Debugging Tips */

== Recommended Reading ==
* Read RFC 4210
* Read <code>draft-ietf-krb-wg-preauth-framework</code> (version 16 current as of 4/27/2010)
* Read <code>src/include/krb5/preauth_plugin.h</code>
* Read <code>src/plugins/preauth/encrypted_challenge/*</code> for a (tragically) comment-less implementation of a preauth plugin implemented using FAST
* ghudson's quick flow overview at http://mailman.mit.edu/pipermail/krbdev/2010-April/008891.html

== Pre-authentication Limitations ==
* There is no way to require that a certain preauth method is used.
* Likewise, there is also no way to indicate a preferred preauth flow (method A, then B, then C).

References for above: http://mailman.mit.edu/pipermail/krbdev/2010-April/008902.html

== Notes and Debugging Tips ==
* Define <code>DEBUG</code> as part of your build to tickle logging of more info in your KDC log file (proabably <code>krb5kdc.log</code>).
* Include <code><syslog.h></code>, link against <code>kadm5<something></code> and make liberal use of <code>krb5_klog_syslog</code>
* Testing a FAST factor preauth plugin such as <code>encrypted-challenge</code> : http://mailman.mit.edu/pipermail/krbdev/2010-April/008935.html
* Make use of <code>preferred_preauth_types</code> in the <code>[libdefaults]</code> section of <code>krb5.conf</code>

Developing a preauth plugin

2010-04-30T16:44:15Z

Jblaine: /* Notes and Debugging Tips */

== Recommended Reading ==
* Read RFC 4210
* Read <code>draft-ietf-krb-wg-preauth-framework</code> (version 16 current as of 4/27/2010)
* Read <code>src/include/krb5/preauth_plugin.h</code>
* Read <code>src/plugins/preauth/encrypted_challenge/*</code> for a (tragically) comment-less implementation of a preauth plugin implemented using FAST
* ghudson's quick flow overview at http://mailman.mit.edu/pipermail/krbdev/2010-April/008891.html

== Pre-authentication Limitations ==
* There is no way to require that a certain preauth method is used.
* Likewise, there is also no way to indicate a preferred preauth flow (method A, then B, then C).

References for above: http://mailman.mit.edu/pipermail/krbdev/2010-April/008902.html

== Notes and Debugging Tips ==
* Define <code>DEBUG</code> as part of your build to tickle logging of more info in your KDC log file (proabably <code>krb5kdc.log</code>).
* Include <code><syslog.h></code>, link against <code>kadm5<something></code> and make liberal use of <code>krb5_klog_syslog</code>
* Testing a FAST factor preauth plugin such as <code>encrypted-challenge</code> : http://mailman.mit.edu/pipermail/krbdev/2010-April/008935.html
* Make use of <code>preferred_preauth_types</code> in <code>krb5.conf</code>'s <code>[libdefaults]</code>

Developing a preauth plugin

2010-04-30T16:34:33Z

Jblaine: /* Debugging Tips */

Developing a preauth plugin

2010-04-30T16:30:38Z

Jblaine: /* Debugging Tips */

Developing a preauth plugin

2010-04-30T16:29:49Z

Jblaine: /* Debugging Tips */

Developing a preauth plugin

2010-04-28T14:20:58Z

Jblaine: /* Debugging Tips */

Developing a preauth plugin

2010-04-28T14:19:10Z

Jblaine:

Developing a preauth plugin

2010-04-28T03:04:30Z

Jblaine: Preauth-plugin-development moved to Developing a preauth plugin: I'm lame

== Highly Recommended Reading to even Get Started ==
* Read RFC 4210
* Read <code>draft-ietf-krb-wg-preauth-framework</code> (version 16 current as of 4/27/2010)
* Read <code>src/include/krb5/preauth_plugin.h</code>
* Read <code>src/plugins/preauth/encrypted_challenge/*</code> for a (tragically) comment-less implementation of a preauth plugin implemented using FAST
* ghudson's quick flow overview at http://mailman.mit.edu/pipermail/krbdev/2010-April/008891.html

== Pre-authentication Limitations ==
* There is no way to require that a certain preauth method is used.
* Likewise, there is also no way to indicate a preferred preauth flow (method A, then B, then C).

References for above: http://mailman.mit.edu/pipermail/krbdev/2010-April/008902.html

== Debugging Tips ==
* <code>#define DEBUG 1</code> in the top of <code>src/kdc/kdc_preauth.c</code> to tickle logging of more info in your KDC log file (proabably <code>krb5kdc.log</code>).
* Make liberal use of <code>krb5_klog_syslog</code>

Preauth-plugin-development

2010-04-28T03:04:30Z

Jblaine: Preauth-plugin-development moved to Developing a preauth plugin: I'm lame

#REDIRECT [[Developing a preauth plugin]]

Plugin development

2010-04-28T03:03:17Z

Jblaine:

* [[Developing a preauth plugin | Pre-authentication plugin development]]

Developing a preauth plugin

2010-04-28T03:01:41Z

Jblaine:

Developing a preauth plugin

2010-04-28T03:01:24Z

Jblaine:

== Pre-authentication Limitations ==
* There is no way to require that a certain preauth method is used.
* Likewise, there is also no way to indicate a preferred preauth flow (method A, then B, then C).

References for above: http://mailman.mit.edu/pipermail/krbdev/2010-April/008902.html

== Highly Recommended Reading to even Get Started ==
* Read RFC 4210
* Read <code>draft-ietf-krb-wg-preauth-framework</code> (version 16 current as of 4/27/2010)
* Read <code>src/include/krb5/preauth_plugin.h</code>
* Read <code>src/plugins/preauth/encrypted_challenge/*</code> for a (tragically) comment-less implementation of a preauth plugin implemented using FAST
* ghudson's quick flow overview at http://mailman.mit.edu/pipermail/krbdev/2010-April/008891.html

== Debugging Tips ==
* <code>#define DEBUG 1</code> in the top of <code>src/kdc/kdc_preauth.c</code> to tickle logging of more info in your KDC log file (proabably <code>krb5kdc.log</code>).
* Make liberal use of <code>krb5_klog_syslog</code>

Developing a preauth plugin

2010-04-28T03:01:05Z

Jblaine: New page: = Pre-authentication Plugin Author Notes = == Pre-authentication Limitations == * There is no way to require that a certain preauth method is used. * Likewise, there is also no way to indi...

= Pre-authentication Plugin Author Notes =
== Pre-authentication Limitations ==
* There is no way to require that a certain preauth method is used.
* Likewise, there is also no way to indicate a preferred preauth flow (method A, then B, then C).

References for above: http://mailman.mit.edu/pipermail/krbdev/2010-April/008902.html

== Highly Recommended Reading to even Get Started ==
* Read RFC 4210
* Read <code>draft-ietf-krb-wg-preauth-framework</code> (version 16 current as of 4/27/2010)
* Read <code>src/include/krb5/preauth_plugin.h</code>
* Read <code>src/plugins/preauth/encrypted_challenge/*</code> for a (tragically) comment-less implementation of a preauth plugin implemented using FAST
* ghudson's quick flow overview at http://mailman.mit.edu/pipermail/krbdev/2010-April/008891.html

== Debugging Tips ==
* <code>#define DEBUG 1</code> in the top of <code>src/kdc/kdc_preauth.c</code> to tickle logging of more info in your KDC log file (proabably <code>krb5kdc.log</code>).
* Make liberal use of <code>krb5_klog_syslog</code>

Plugin development

2010-04-28T03:00:57Z

Jblaine:

* [[preauth-plugin-development | preauth plugin development]]

Plugin development

2010-04-28T03:00:31Z

Jblaine: New page: <code>preauth</code> plugin development

[[preauth-plugin-development | <code>preauth</code> plugin development]]

Developer resources

2010-02-19T15:14:09Z

Jblaine: /* Documentation */

This page lists resources that [[developers]] use on a regular basis. One goal of the page is to help those beginning to track the project know what they may be interested in looking at.
==Documentation==

* The [http://web.mit.edu/kerberos/krb5-1.6/krb5-1.6.3/doc/krb5-install.html Installation Guide] describes how to build and install MIT Kerberos.
* The 1.7 [http://web.mit.edu/kerberos/krb5-1.7/#documentation documentation site] contains administrator and user documentation; while not directly targeted at developers, this documentation helps understand the product.
* Unfortunately there is no stable web pointer to the current version of MIT Kerberos documentation; as such the above links will eventually point to outdated documentation.
* The [[Glossary]] is a quick index of acronyms and terms related to Kerberos, which you may come across while reading the code.
* [[Plugin development]] notes, pointers, tips, etc (needed!)

==Mailing lists==

Much of the discussion of new proposals, discussion of what direction to take the product and answering of questions takes place on mailing lists.

* [http://mailman.mit.edu/mailman/listinfo/krbdev krbdev@mit.edu] is the primary list for developers of [[MIT Kerberos]].
* [http://mailman.mit.edu/mailman/listinfo/kfwdev kfwdev@mit.edu] serves a similar purpose for [[Kerberos for Windows]].
* [http://mailman.mit.edu/mailman/listinfo/cvs-krb5 cvs-krb5@mit.edu] receives all [[Subversion]] commit messages and allows developers to track all changes made to MIT Kerberos.
* [http://mailman.mit.edu/mailman/listinfo/krb5-bugs krb5-bugs@mit.edu] is notified when a [[ticket]] is created or updated. This list helps track bugs and feature requests.
* krbcore@mit.edu is a private list for [[Krbcore]]; send mail to this list if you need to contact the core team.
* krbcore-security@mit.edu is the point of contact for security problems with MIT Kerberos.

==Source code==

The MIT Kerberos sources are in a [[Subversion]] repository.

* svn://anonsvn.mit.edu/krb5 provides read-only [[Subversion]] access to the repository.
* [http://src.mit.edu/fisheye/browse/krb5 FishEye] a feature-rich view of the repository
* [http://src.mit.edu/opengrok/ OpenGrok] provides an interface that allows you to search for the definition or usage of a specific function; it is somewhat better for cross references than FishEye.
* http://anonsvn.mit.edu/viewvc/krb5 provides a more basic form of web access to the entire repository.

* [[Committers]] have access to a URI that allows them to commit changes to the repository.

==Bug tracking==

* http://krbdev.mit.edu/rt/ is the interface to the bug tracking server.
* Log in with user name guest and password guest. (or use the guest login button)
* See {{trunkref|doc/procedures.txt}} for some information on bug states.

== Instant messaging ==

[[IRC and Jabber]]

== Lore ==

You may find relevant accumulated lore in [[:Category:Lore]].

Developer resources

2010-02-19T15:13:48Z

Jblaine: /* Documentation */

This page lists resources that [[developers]] use on a regular basis. One goal of the page is to help those beginning to track the project know what they may be interested in looking at.
==Documentation==

* The [http://web.mit.edu/kerberos/krb5-1.6/krb5-1.6.3/doc/krb5-install.html Installation Guide] describes how to build and install MIT Kerberos.
* The 1.7 [http://web.mit.edu/kerberos/krb5-1.7/#documentation documentation site] contains administrator and user documentation; while not directly targeted at developers, this documentation helps understand the product.
* Unfortunately there is no stable web pointer to the current version of MIT Kerberos documentation; as such the above links will eventually point to outdated documentation.
* The [[Glossary]] is a quick index of acronyms and terms related to Kerberos, which you may come across while reading the code.
* [[Plugin development]] notes, pointers, tips, etc.

==Mailing lists==

Much of the discussion of new proposals, discussion of what direction to take the product and answering of questions takes place on mailing lists.

* [http://mailman.mit.edu/mailman/listinfo/krbdev krbdev@mit.edu] is the primary list for developers of [[MIT Kerberos]].
* [http://mailman.mit.edu/mailman/listinfo/kfwdev kfwdev@mit.edu] serves a similar purpose for [[Kerberos for Windows]].
* [http://mailman.mit.edu/mailman/listinfo/cvs-krb5 cvs-krb5@mit.edu] receives all [[Subversion]] commit messages and allows developers to track all changes made to MIT Kerberos.
* [http://mailman.mit.edu/mailman/listinfo/krb5-bugs krb5-bugs@mit.edu] is notified when a [[ticket]] is created or updated. This list helps track bugs and feature requests.
* krbcore@mit.edu is a private list for [[Krbcore]]; send mail to this list if you need to contact the core team.
* krbcore-security@mit.edu is the point of contact for security problems with MIT Kerberos.

==Source code==

The MIT Kerberos sources are in a [[Subversion]] repository.

* svn://anonsvn.mit.edu/krb5 provides read-only [[Subversion]] access to the repository.
* [http://src.mit.edu/fisheye/browse/krb5 FishEye] a feature-rich view of the repository
* [http://src.mit.edu/opengrok/ OpenGrok] provides an interface that allows you to search for the definition or usage of a specific function; it is somewhat better for cross references than FishEye.
* http://anonsvn.mit.edu/viewvc/krb5 provides a more basic form of web access to the entire repository.

* [[Committers]] have access to a URI that allows them to commit changes to the repository.

==Bug tracking==

* http://krbdev.mit.edu/rt/ is the interface to the bug tracking server.
* Log in with user name guest and password guest. (or use the guest login button)
* See {{trunkref|doc/procedures.txt}} for some information on bug states.

== Instant messaging ==

[[IRC and Jabber]]

== Lore ==

You may find relevant accumulated lore in [[:Category:Lore]].

Developer resources

2010-02-19T15:09:42Z

Jblaine: /* Documentation */

This page lists resources that [[developers]] use on a regular basis. One goal of the page is to help those beginning to track the project know what they may be interested in looking at.
==Documentation==

* The [http://web.mit.edu/kerberos/krb5-1.6/krb5-1.6.3/doc/krb5-install.html Installation Guide] describes how to build and install MIT Kerberos.
* The 1.7 [http://web.mit.edu/kerberos/krb5-1.7/#documentation documentation site] contains administrator and user documentation; while not directly targeted at developers, this documentation helps understand the product.
* Unfortunately there is no stable web pointer to the current version of MIT Kerberos documentation; as such the above links will eventually point to outdated documentation.
* The [[Glossary]] is a quick index of acronyms and terms related to Kerberos, which you may come across while reading the code.

==Mailing lists==

Much of the discussion of new proposals, discussion of what direction to take the product and answering of questions takes place on mailing lists.

* [http://mailman.mit.edu/mailman/listinfo/krbdev krbdev@mit.edu] is the primary list for developers of [[MIT Kerberos]].
* [http://mailman.mit.edu/mailman/listinfo/kfwdev kfwdev@mit.edu] serves a similar purpose for [[Kerberos for Windows]].
* [http://mailman.mit.edu/mailman/listinfo/cvs-krb5 cvs-krb5@mit.edu] receives all [[Subversion]] commit messages and allows developers to track all changes made to MIT Kerberos.
* [http://mailman.mit.edu/mailman/listinfo/krb5-bugs krb5-bugs@mit.edu] is notified when a [[ticket]] is created or updated. This list helps track bugs and feature requests.
* krbcore@mit.edu is a private list for [[Krbcore]]; send mail to this list if you need to contact the core team.
* krbcore-security@mit.edu is the point of contact for security problems with MIT Kerberos.

==Source code==

The MIT Kerberos sources are in a [[Subversion]] repository.

* svn://anonsvn.mit.edu/krb5 provides read-only [[Subversion]] access to the repository.
* [http://src.mit.edu/fisheye/browse/krb5 FishEye] a feature-rich view of the repository
* [http://src.mit.edu/opengrok/ OpenGrok] provides an interface that allows you to search for the definition or usage of a specific function; it is somewhat better for cross references than FishEye.
* http://anonsvn.mit.edu/viewvc/krb5 provides a more basic form of web access to the entire repository.

* [[Committers]] have access to a URI that allows them to commit changes to the repository.

==Bug tracking==

* http://krbdev.mit.edu/rt/ is the interface to the bug tracking server.
* Log in with user name guest and password guest. (or use the guest login button)
* See {{trunkref|doc/procedures.txt}} for some information on bug states.

== Instant messaging ==

[[IRC and Jabber]]

== Lore ==

You may find relevant accumulated lore in [[:Category:Lore]].