[15697] in Kerberos_V5_Development

home help back first fref pref prev next nref lref last post

Re: preauth code questions

daemon@ATHENA.MIT.EDU (Jeff Blaine)
Thu Apr 22 12:08:36 2010

Message-ID: <4BD07475.8040600@kickflop.net>
Date: Thu, 22 Apr 2010 12:08:21 -0400
From: Jeff Blaine <jblaine@kickflop.net>
MIME-Version: 1.0
To: Luke Howard <lukeh@padl.com>
In-Reply-To: <7379EEF7-3359-47F5-8596-D4C2BEF1AEE6@padl.com>
Cc: "krbdev@mit.edu" <krbdev@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu

On 4/22/2010 2:45 AM, Luke Howard wrote:
> On 22/04/2010, at 2:32 AM, Jeff Blaine wrote:
>>>> * Is the client's IP address available in a preauth plugin?
>>>
>>> It doesn't look like it.
>>
>> My KDC preauth plugin wants to connect back to a service on
>> the client host.
>>
>> So I guess I'm screwed as far as making this a KDC-side-only
>> plugin?
>
> How about tunnelling the data in the KDC reply and having
 > the client send to the client-side service?

Hi Luke,

The goal is to make this KDC-only code and not require anything
new from clients Kerberos-wise (see "screwed" comment above :))

If there's no way to get the client IP address from within a
KDC-side preauth plugin (which would really be a bummer), the
whole logic will change to a 'standard' model of preauth where
the client will need to present the data in its reply (after
querying the client-side service in question).
_______________________________________________
krbdev mailing list             krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev

home help back first fref pref prev next nref lref last post