[15696] in Kerberos_V5_Development

home help back first fref pref prev next nref lref last post

Re: Proper way to do logging (KDC) from preauth plugin?

daemon@ATHENA.MIT.EDU (Jeff Blaine)
Thu Apr 22 11:59:47 2010

Message-ID: <4BD07263.6070304@kickflop.net>
Date: Thu, 22 Apr 2010 11:59:31 -0400
From: Jeff Blaine <jblaine@kickflop.net>
MIME-Version: 1.0
To: Greg Hudson <ghudson@mit.edu>
In-Reply-To: <1271906307.19726.40.camel@ray>
Cc: "krbdev@mit.edu" <krbdev@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu

I have 1 plugin installed (mine).  It is never referenced
from what I can see stepping through gdb once a break
is hit on check_padata().  I did that just now based on
your reply.

 From what I can gather then, the non-plugin preauth
mech is working (verify_enc_timestamp() is called
and I have no plugin for enc challenge), so my plugin
is not referenced.  Does that sound like a reasonable
evaluation?

Any advice?  This preauth plugin must be called and
must succeed.

Thanks for the guidance so far.  Once I make some progress
(or I suppose even if I don't...), I'll update the wiki
with some notes from this exchange so the next person
has *something* to reference other than comment-less
source code :)

On 4/21/2010 11:18 PM, Greg Hudson wrote:
> On Wed, 2010-04-21 at 22:32 -0400, Jeff Blaine wrote:
>> kdc_verify_preauth() is never called according to this
>> (not for my plugin or any other):
>
> Here's what's expected to happen:
>
> * kinit sends an AS request with no preauth information.
>
> * The KDC sees the requires_preauth flag on the principal and returns an
> error with a list of possible preauth mechanisms (consulting each
> module's get_edata method).  The code path here is process_as_req()
> calling missing_required_preauth(), receiving a non-null status, and
> then calling get_preauth_hint_list().
>
> * kinit processes the hint list, possibly asking for the user's password
> or PIN.
>
> * kinit sends another AS request with preauthentication.
>
> * process_as_req() calls check_padata() to validate the
> preauthentication.  The modules which handle the preauthentication types
> in the packet have their verify_padata methods invoked, until one
> succeeds which is deemed "sufficient."
>
>
>
_______________________________________________
krbdev mailing list             krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev

home help back first fref pref prev next nref lref last post