Difference between revisions of "Developing a preauth plugin"
From K5Wiki
MattCrawford (talk | contribs) m (RFC number wrong: 4210 s/b 4120 →Recommended Reading) |
|||
| (14 intermediate revisions by one other user not shown) | |||
| Line 1: | Line 1: | ||
| ⚫ | |||
| ⚫ | |||
| ⚫ | |||
| ⚫ | |||
| ⚫ | |||
| − | |||
| ⚫ | |||
| − | |||
| ⚫ | |||
| ⚫ | |||
* Read <code>draft-ietf-krb-wg-preauth-framework</code> (version 16 current as of 4/27/2010) |
* Read <code>draft-ietf-krb-wg-preauth-framework</code> (version 16 current as of 4/27/2010) |
||
* Read <code>src/include/krb5/preauth_plugin.h</code> |
* Read <code>src/include/krb5/preauth_plugin.h</code> |
||
| Line 12: | Line 6: | ||
* ghudson's quick flow overview at http://mailman.mit.edu/pipermail/krbdev/2010-April/008891.html |
* ghudson's quick flow overview at http://mailman.mit.edu/pipermail/krbdev/2010-April/008891.html |
||
| ⚫ | |||
| ⚫ | |||
| ⚫ | |||
| ⚫ | |||
| − | * Make liberal use of <code>krb5_klog_syslog</code> |
||
| ⚫ | |||
| + | * FAST-based preauth (see <code>draft-ietf-krb-wg-preauth-framework</code>) support is largely unimplemented from a practical usage perspective at this point. |
||
| + | |||
| + | krbdev thread References for above: |
||
| ⚫ | |||
| + | * http://mailman.mit.edu/pipermail/krbdev/2010-April/008933.html |
||
| + | |||
| ⚫ | |||
| ⚫ | |||
| + | * Include <code><syslog.h></code>, link against <code>kadm5<something></code> and make liberal use of <code>krb5_klog_syslog</code> |
||
| + | * Testing a FAST factor preauth plugin such as <code>encrypted-challenge</code> : http://mailman.mit.edu/pipermail/krbdev/2010-April/008935.html |
||
| + | * Make use of <code>preferred_preauth_types</code> in the <code>[libdefaults]</code> section of <code>krb5.conf</code> |
||
| + | * Make use of [http://www.wireshark.org/ Wireshark] (terminal-based command is <code>tshark</code> for those without graphical environments) for examining network traffic. |
||
Latest revision as of 14:37, 7 June 2011
Recommended Reading
- Read RFC 4120
- Read
draft-ietf-krb-wg-preauth-framework(version 16 current as of 4/27/2010) - Read
src/include/krb5/preauth_plugin.h - Read
src/plugins/preauth/encrypted_challenge/*for a (tragically) comment-less implementation of a preauth plugin implemented using FAST - ghudson's quick flow overview at http://mailman.mit.edu/pipermail/krbdev/2010-April/008891.html
Pre-authentication Limitations
- There is no way to require that a certain preauth method is used.
- Likewise, there is also no way to indicate a preferred preauth flow (method A, then B, then C).
- FAST-based preauth (see
draft-ietf-krb-wg-preauth-framework) support is largely unimplemented from a practical usage perspective at this point.
krbdev thread References for above:
- http://mailman.mit.edu/pipermail/krbdev/2010-April/008902.html
- http://mailman.mit.edu/pipermail/krbdev/2010-April/008933.html
Notes and Debugging Tips
- Define
DEBUGas part of your build to tickle logging of more info in your KDC log file (proabablykrb5kdc.log). - Include
<syslog.h>, link againstkadm5<something>and make liberal use ofkrb5_klog_syslog - Testing a FAST factor preauth plugin such as
encrypted-challenge: http://mailman.mit.edu/pipermail/krbdev/2010-April/008935.html - Make use of
preferred_preauth_typesin the[libdefaults]section ofkrb5.conf - Make use of Wireshark (terminal-based command is
tsharkfor those without graphical environments) for examining network traffic.
