[15772] in Kerberos_V5_Development

home help back first fref pref prev next nref lref last post

Re: Proper way to do logging (KDC) from preauth plugin?

daemon@ATHENA.MIT.EDU (Jeff Blaine)
Fri May 7 11:54:40 2010

Message-ID: <4BE437AD.8020207@kickflop.net>
Date: Fri, 07 May 2010 11:54:21 -0400
From: Jeff Blaine <jblaine@kickflop.net>
MIME-Version: 1.0
To: Sam Hartman <hartmans@mit.edu>
In-Reply-To: <tsly6g7k4f0.fsf@mit.edu>
Cc: "krbdev@mit.edu" <krbdev@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu

On 4/28/2010 11:00 AM, Sam Hartman wrote:
> I think that configuration of which pa types should be required for a
> given user don't belong in a PA_REQUIRED flag.

Sam, I'm revisiting this flag this morning.

I'm not concerned right now with a per-user decision.

> /* Causes the KDC to include this mechanism in a list of
>  * supported preauth types if the user's DB entry flags
>  * the user as requiring preauthentication, and to fail
>  * preauthentication if we can't verify the client data.
>  * The flipside of PA_SUFFICIENT (server-only). */
> #define PA_REQUIRED     0x00000008

As this is described, this sounds like exactly what I want.

Deem a certain preauth plugin as required for anyone with
preauth_required on their principal.

No?
_______________________________________________
krbdev mailing list             krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev

home help back first fref pref prev next nref lref last post