Difference between revisions of "Developing a preauth plugin"

Latest revision as of 14:37, 7 June 2011

Recommended Reading

• Read RFC 4120
• Read draft-ietf-krb-wg-preauth-framework (version 16 current as of 4/27/2010)
• Read src/include/krb5/preauth_plugin.h
• Read src/plugins/preauth/encrypted_challenge/* for a (tragically) comment-less implementation of a preauth plugin implemented using FAST
• ghudson's quick flow overview at http://mailman.mit.edu/pipermail/krbdev/2010-April/008891.html

Pre-authentication Limitations

• There is no way to require that a certain preauth method is used.
• Likewise, there is also no way to indicate a preferred preauth flow (method A, then B, then C).
• FAST-based preauth (see draft-ietf-krb-wg-preauth-framework) support is largely unimplemented from a practical usage perspective at this point.

krbdev thread References for above:

• http://mailman.mit.edu/pipermail/krbdev/2010-April/008902.html
• http://mailman.mit.edu/pipermail/krbdev/2010-April/008933.html

Notes and Debugging Tips

• Define DEBUG as part of your build to tickle logging of more info in your KDC log file (proabably krb5kdc.log).
• Include <syslog.h>, link against kadm5<something> and make liberal use of krb5_klog_syslog
• Testing a FAST factor preauth plugin such as encrypted-challenge : http://mailman.mit.edu/pipermail/krbdev/2010-April/008935.html
• Make use of preferred_preauth_types in the [libdefaults] section of krb5.conf
• Make use of Wireshark (terminal-based command is tshark for those without graphical environments) for examining network traffic.