[15701] in Kerberos_V5_Development
Re: Proper way to do logging (KDC) from preauth plugin?
daemon@ATHENA.MIT.EDU (Jeff Blaine)
Thu Apr 22 23:59:45 2010
Message-ID: <4BD11B1F.9010609@kickflop.net>
Date: Thu, 22 Apr 2010 23:59:27 -0400
From: Jeff Blaine <jblaine@kickflop.net>
MIME-Version: 1.0
To: Greg Hudson <ghudson@mit.edu>
In-Reply-To: <1271959043.19726.79.camel@ray>
Cc: "krbdev@mit.edu" <krbdev@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
On 4/22/2010 1:57 PM, Greg Hudson wrote:
> On Thu, 2010-04-22 at 11:59 -0400, Jeff Blaine wrote:
>> Any advice? This preauth plugin must be called and
>> must succeed.
>
> I see. What you want is for your plugin to be invoked at preauth
> verification time even though the client doesn't have any understanding
> of your mechanism (because it happens out of band). Unfortunately, I
> don't think that kind of use is currently envisioned by the preauth
> framework.
Okay, so the KDC-only preauth method is a wash for what we wanted.
Fair enough.
From what I gather of your previous message, it is not possible
to indicate a 'required' preauth plugin. Is that also correct?
> The modules which handle the preauthentication types
> in the packet have their verify_padata methods invoked, until
> one succeeds which is deemed "sufficient."
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev