[15696] in Kerberos_V5_Development
Re: Proper way to do logging (KDC) from preauth plugin?
daemon@ATHENA.MIT.EDU (Jeff Blaine)
Thu Apr 22 11:59:47 2010
Message-ID: <4BD07263.6070304@kickflop.net>
Date: Thu, 22 Apr 2010 11:59:31 -0400
From: Jeff Blaine <jblaine@kickflop.net>
MIME-Version: 1.0
To: Greg Hudson <ghudson@mit.edu>
In-Reply-To: <1271906307.19726.40.camel@ray>
Cc: "krbdev@mit.edu" <krbdev@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
I have 1 plugin installed (mine). It is never referenced
from what I can see stepping through gdb once a break
is hit on check_padata(). I did that just now based on
your reply.
From what I can gather then, the non-plugin preauth
mech is working (verify_enc_timestamp() is called
and I have no plugin for enc challenge), so my plugin
is not referenced. Does that sound like a reasonable
evaluation?
Any advice? This preauth plugin must be called and
must succeed.
Thanks for the guidance so far. Once I make some progress
(or I suppose even if I don't...), I'll update the wiki
with some notes from this exchange so the next person
has *something* to reference other than comment-less
source code :)
On 4/21/2010 11:18 PM, Greg Hudson wrote:
> On Wed, 2010-04-21 at 22:32 -0400, Jeff Blaine wrote:
>> kdc_verify_preauth() is never called according to this
>> (not for my plugin or any other):
>
> Here's what's expected to happen:
>
> * kinit sends an AS request with no preauth information.
>
> * The KDC sees the requires_preauth flag on the principal and returns an
> error with a list of possible preauth mechanisms (consulting each
> module's get_edata method). The code path here is process_as_req()
> calling missing_required_preauth(), receiving a non-null status, and
> then calling get_preauth_hint_list().
>
> * kinit processes the hint list, possibly asking for the user's password
> or PIN.
>
> * kinit sends another AS request with preauthentication.
>
> * process_as_req() calls check_padata() to validate the
> preauthentication. The modules which handle the preauthentication types
> in the packet have their verify_padata methods invoked, until one
> succeeds which is deemed "sufficient."
>
>
>
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev