Developing a preauth plugin

2011-06-07T19:37:28Z

MattCrawford: RFC number wrong: 4210 s/b 4120 /* Recommended Reading */

== Recommended Reading ==
* Read RFC 4120
* Read <code>draft-ietf-krb-wg-preauth-framework</code> (version 16 current as of 4/27/2010)
* Read <code>src/include/krb5/preauth_plugin.h</code>
* Read <code>src/plugins/preauth/encrypted_challenge/*</code> for a (tragically) comment-less implementation of a preauth plugin implemented using FAST
* ghudson's quick flow overview at http://mailman.mit.edu/pipermail/krbdev/2010-April/008891.html

== Pre-authentication Limitations ==
* There is no way to require that a certain preauth method is used.
* Likewise, there is also no way to indicate a preferred preauth flow (method A, then B, then C).
* FAST-based preauth (see <code>draft-ietf-krb-wg-preauth-framework</code>) support is largely unimplemented from a practical usage perspective at this point.

krbdev thread References for above:
* http://mailman.mit.edu/pipermail/krbdev/2010-April/008902.html
* http://mailman.mit.edu/pipermail/krbdev/2010-April/008933.html

== Notes and Debugging Tips ==
* Define <code>DEBUG</code> as part of your build to tickle logging of more info in your KDC log file (proabably <code>krb5kdc.log</code>).
* Include <code><syslog.h></code>, link against <code>kadm5<something></code> and make liberal use of <code>krb5_klog_syslog</code>
* Testing a FAST factor preauth plugin such as <code>encrypted-challenge</code> : http://mailman.mit.edu/pipermail/krbdev/2010-April/008935.html
* Make use of <code>preferred_preauth_types</code> in the <code>[libdefaults]</code> section of <code>krb5.conf</code>
* Make use of [http://www.wireshark.org/ Wireshark] (terminal-based command is <code>tshark</code> for those without graphical environments) for examining network traffic.

K5Wiki - User contributions [en]

Developing a preauth plugin