logo_kerberos.gif

Difference between revisions of "Developing a preauth plugin"

From K5Wiki
Jump to: navigation, search
(New page: = Pre-authentication Plugin Author Notes = == Pre-authentication Limitations == * There is no way to require that a certain preauth method is used. * Likewise, there is also no way to indi...)
 
Line 1: Line 1:
= Pre-authentication Plugin Author Notes =
 
 
== Pre-authentication Limitations ==
 
== Pre-authentication Limitations ==
 
* There is no way to require that a certain preauth method is used.
 
* There is no way to require that a certain preauth method is used.

Revision as of 23:01, 27 April 2010

Pre-authentication Limitations

  • There is no way to require that a certain preauth method is used.
  • Likewise, there is also no way to indicate a preferred preauth flow (method A, then B, then C).

References for above: http://mailman.mit.edu/pipermail/krbdev/2010-April/008902.html

Highly Recommended Reading to even Get Started

  • Read RFC 4210
  • Read draft-ietf-krb-wg-preauth-framework (version 16 current as of 4/27/2010)
  • Read src/include/krb5/preauth_plugin.h
  • Read src/plugins/preauth/encrypted_challenge/* for a (tragically) comment-less implementation of a preauth plugin implemented using FAST
  • ghudson's quick flow overview at http://mailman.mit.edu/pipermail/krbdev/2010-April/008891.html

Debugging Tips

  • #define DEBUG 1 in the top of src/kdc/kdc_preauth.c to tickle logging of more info in your KDC log file (proabably krb5kdc.log).
  • Make liberal use of krb5_klog_syslog