[15694] in Kerberos_V5_Development
Re: Proper way to do logging (KDC) from preauth plugin?
daemon@ATHENA.MIT.EDU (Greg Hudson)
Wed Apr 21 23:18:30 2010
From: Greg Hudson <ghudson@mit.edu>
To: Jeff Blaine <jblaine@kickflop.net>
In-Reply-To: <4BCFB53C.2020401@kickflop.net>
Date: Wed, 21 Apr 2010 23:18:27 -0400
Message-ID: <1271906307.19726.40.camel@ray>
Mime-Version: 1.0
Cc: "krbdev@mit.edu" <krbdev@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
On Wed, 2010-04-21 at 22:32 -0400, Jeff Blaine wrote:
> kdc_verify_preauth() is never called according to this
> (not for my plugin or any other):
Here's what's expected to happen:
* kinit sends an AS request with no preauth information.
* The KDC sees the requires_preauth flag on the principal and returns an
error with a list of possible preauth mechanisms (consulting each
module's get_edata method). The code path here is process_as_req()
calling missing_required_preauth(), receiving a non-null status, and
then calling get_preauth_hint_list().
* kinit processes the hint list, possibly asking for the user's password
or PIN.
* kinit sends another AS request with preauthentication.
* process_as_req() calls check_padata() to validate the
preauthentication. The modules which handle the preauthentication types
in the packet have their verify_padata methods invoked, until one
succeeds which is deemed "sufficient."
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev