Developing a preauth plugin

From K5Wiki

Revision as of 11:44, 30 April 2010 by Jblaine (talk | contribs) (→‎Notes and Debugging Tips)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Jump to: navigation, search

Recommended Reading

Read RFC 4210
Read draft-ietf-krb-wg-preauth-framework (version 16 current as of 4/27/2010)
Read src/include/krb5/preauth_plugin.h
Read src/plugins/preauth/encrypted_challenge/* for a (tragically) comment-less implementation of a preauth plugin implemented using FAST
ghudson's quick flow overview at http://mailman.mit.edu/pipermail/krbdev/2010-April/008891.html

Pre-authentication Limitations

There is no way to require that a certain preauth method is used.
Likewise, there is also no way to indicate a preferred preauth flow (method A, then B, then C).

References for above: http://mailman.mit.edu/pipermail/krbdev/2010-April/008902.html

Notes and Debugging Tips

Define DEBUG as part of your build to tickle logging of more info in your KDC log file (proabably krb5kdc.log).
Include <syslog.h>, link against kadm5<something> and make liberal use of krb5_klog_syslog
Testing a FAST factor preauth plugin such as encrypted-challenge : http://mailman.mit.edu/pipermail/krbdev/2010-April/008935.html
Make use of preferred_preauth_types in krb5.conf's [libdefaults]

Retrieved from "https://k5wiki.kerberos.org./wiki?title=Developing_a_preauth_plugin&oldid=3254"

Navigation menu