[15705] in Kerberos_V5_Development
Re: Proper way to do logging (KDC) from preauth plugin?
daemon@ATHENA.MIT.EDU (Greg Hudson)
Fri Apr 23 13:10:01 2010
From: Greg Hudson <ghudson@mit.edu>
To: Jeff Blaine <jblaine@kickflop.net>
In-Reply-To: <4BD1C889.4050705@kickflop.net>
Date: Fri, 23 Apr 2010 13:09:45 -0400
Message-ID: <1272042585.19726.155.camel@ray>
Mime-Version: 1.0
Cc: "krbdev@mit.edu" <krbdev@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
On Fri, 2010-04-23 at 12:19 -0400, Jeff Blaine wrote:
> I've found the logic in kdc/kdc_preauth.c where the ordering
> of pa stuff is done (around line 896).
This code orders the preauth_systems array, which determines the order
for get_edata and return_padata, but check_padata still uses the order
of padata elements in the request.
> How about a PA_REQUIRED flag and its appropriate handler code?
>
> Would that be a welcomed contribution?
There is actually already a PA_REQUIRED flag; see line 1168. The
semantics aren't necessarily intuitive, though. If a client supplies
padata for a PA_REQUIRED preauth mechanism and the verify_padata method
on that mechanism fails, the request will fail--but if the client does
not supply padata for that mechanism, the request could still succeed.
If my answers seem overly limited, it's because I didn't design this
framework and don't always know the intent of the code. The big
weaknesses I see are:
* The KDC configuration is limited to the "preauth required" and
"hardware preauth reuqired" principal flags. There is no way to
influence the suggested order of mechanisms, to require a specific
preauth mechanism, or to require FAST.
* There is no way to disable encrypted timestamp in the KDC or client
since it is not a plugin.
* On the client, there is a hardcoded default of using pkinit in
preference to other mechanisms. This suggests a poorly-satisfied need
for some kind of prioritization of mechanisms, although perhaps that
need would not exist if KDC configuration could determine the order of
the preauth hint list.
* The semantics of PA_REQUIRED may be useless.
For your specific use case, the inability to create "inputless" preauth
mechanisms and the inability to get the request's source IP address are
also blockers.
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev