logo_kerberos.gif

Difference between revisions of "Developing a preauth plugin"

From K5Wiki
Jump to: navigation, search
m (RFC number wrong: 4210 s/b 4120 Recommended Reading)
 
(11 intermediate revisions by one other user not shown)
Line 1: Line 1:
 
== Recommended Reading ==
 
== Recommended Reading ==
* Read RFC 4210
+
* Read RFC 4120
 
* Read <code>draft-ietf-krb-wg-preauth-framework</code> (version 16 current as of 4/27/2010)
 
* Read <code>draft-ietf-krb-wg-preauth-framework</code> (version 16 current as of 4/27/2010)
 
* Read <code>src/include/krb5/preauth_plugin.h</code>
 
* Read <code>src/include/krb5/preauth_plugin.h</code>
Line 9: Line 9:
 
* There is no way to require that a certain preauth method is used.
 
* There is no way to require that a certain preauth method is used.
 
* Likewise, there is also no way to indicate a preferred preauth flow (method A, then B, then C).
 
* Likewise, there is also no way to indicate a preferred preauth flow (method A, then B, then C).
  +
* FAST-based preauth (see <code>draft-ietf-krb-wg-preauth-framework</code>) support is largely unimplemented from a practical usage perspective at this point.
   
References for above: http://mailman.mit.edu/pipermail/krbdev/2010-April/008902.html
 
  +
krbdev thread References for above:
 
* http://mailman.mit.edu/pipermail/krbdev/2010-April/008902.html
  +
* http://mailman.mit.edu/pipermail/krbdev/2010-April/008933.html
   
== Debugging Tips ==
+
== Notes and Debugging Tips ==
* <code>#define DEBUG 1</code> in the top of <code>src/kdc/kdc_preauth.c</code> to tickle logging of more info in your KDC log file (proabably <code>krb5kdc.log</code>).
+
* Define <code>DEBUG</code> as part of your build to tickle logging of more info in your KDC log file (proabably <code>krb5kdc.log</code>).
* Make liberal use of <code>krb5_klog_syslog</code>
+
* Include <code><syslog.h></code>, link against <code>kadm5<something></code> and make liberal use of <code>krb5_klog_syslog</code>
  +
* Testing a FAST factor preauth plugin such as <code>encrypted-challenge</code> : http://mailman.mit.edu/pipermail/krbdev/2010-April/008935.html
  +
* Make use of <code>preferred_preauth_types</code> in the <code>[libdefaults]</code> section of <code>krb5.conf</code>
  +
* Make use of [http://www.wireshark.org/ Wireshark] (terminal-based command is <code>tshark</code> for those without graphical environments) for examining network traffic.

Latest revision as of 14:37, 7 June 2011

Recommended Reading

  • Read RFC 4120
  • Read draft-ietf-krb-wg-preauth-framework (version 16 current as of 4/27/2010)
  • Read src/include/krb5/preauth_plugin.h
  • Read src/plugins/preauth/encrypted_challenge/* for a (tragically) comment-less implementation of a preauth plugin implemented using FAST
  • ghudson's quick flow overview at http://mailman.mit.edu/pipermail/krbdev/2010-April/008891.html

Pre-authentication Limitations

  • There is no way to require that a certain preauth method is used.
  • Likewise, there is also no way to indicate a preferred preauth flow (method A, then B, then C).
  • FAST-based preauth (see draft-ietf-krb-wg-preauth-framework) support is largely unimplemented from a practical usage perspective at this point.

krbdev thread References for above:

Notes and Debugging Tips

  • Define DEBUG as part of your build to tickle logging of more info in your KDC log file (proabably krb5kdc.log).
  • Include <syslog.h>, link against kadm5<something> and make liberal use of krb5_klog_syslog
  • Testing a FAST factor preauth plugin such as encrypted-challenge : http://mailman.mit.edu/pipermail/krbdev/2010-April/008935.html
  • Make use of preferred_preauth_types in the [libdefaults] section of krb5.conf
  • Make use of Wireshark (terminal-based command is tshark for those without graphical environments) for examining network traffic.