[15772] in Kerberos_V5_Development
Re: Proper way to do logging (KDC) from preauth plugin?
daemon@ATHENA.MIT.EDU (Jeff Blaine)
Fri May 7 11:54:40 2010
Message-ID: <4BE437AD.8020207@kickflop.net>
Date: Fri, 07 May 2010 11:54:21 -0400
From: Jeff Blaine <jblaine@kickflop.net>
MIME-Version: 1.0
To: Sam Hartman <hartmans@mit.edu>
In-Reply-To: <tsly6g7k4f0.fsf@mit.edu>
Cc: "krbdev@mit.edu" <krbdev@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
On 4/28/2010 11:00 AM, Sam Hartman wrote:
> I think that configuration of which pa types should be required for a
> given user don't belong in a PA_REQUIRED flag.
Sam, I'm revisiting this flag this morning.
I'm not concerned right now with a per-user decision.
> /* Causes the KDC to include this mechanism in a list of
> * supported preauth types if the user's DB entry flags
> * the user as requiring preauthentication, and to fail
> * preauthentication if we can't verify the client data.
> * The flipside of PA_SUFFICIENT (server-only). */
> #define PA_REQUIRED 0x00000008
As this is described, this sounds like exactly what I want.
Deem a certain preauth plugin as required for anyone with
preauth_required on their principal.
No?
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev