[15694] in Kerberos_V5_Development

home help back first fref pref prev next nref lref last post

Re: Proper way to do logging (KDC) from preauth plugin?

daemon@ATHENA.MIT.EDU (Greg Hudson)
Wed Apr 21 23:18:30 2010

From: Greg Hudson <ghudson@mit.edu>
To: Jeff Blaine <jblaine@kickflop.net>
In-Reply-To: <4BCFB53C.2020401@kickflop.net>
Date: Wed, 21 Apr 2010 23:18:27 -0400
Message-ID: <1271906307.19726.40.camel@ray>
Mime-Version: 1.0
Cc: "krbdev@mit.edu" <krbdev@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu

On Wed, 2010-04-21 at 22:32 -0400, Jeff Blaine wrote:
> kdc_verify_preauth() is never called according to this
> (not for my plugin or any other):

Here's what's expected to happen:

* kinit sends an AS request with no preauth information.

* The KDC sees the requires_preauth flag on the principal and returns an
error with a list of possible preauth mechanisms (consulting each
module's get_edata method).  The code path here is process_as_req()
calling missing_required_preauth(), receiving a non-null status, and
then calling get_preauth_hint_list().

* kinit processes the hint list, possibly asking for the user's password
or PIN.

* kinit sends another AS request with preauthentication.

* process_as_req() calls check_padata() to validate the
preauthentication.  The modules which handle the preauthentication types
in the packet have their verify_padata methods invoked, until one
succeeds which is deemed "sufficient."


_______________________________________________
krbdev mailing list             krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev

home help back first fref pref prev next nref lref last post