[16429] in Kerberos_V5_Development
Re: Implementing a multi-round trip preauthentication method
daemon@ATHENA.MIT.EDU (Sam Hartman)
Wed Oct 6 08:42:34 2010
From: Sam Hartman <hartmans@mit.edu>
To: Alejandro Perez Mendez <alex@um.es>
Date: Wed, 06 Oct 2010 08:42:25 -0400
In-Reply-To: <4CAC2019.3050406@um.es> (Alejandro Perez Mendez's message of
"Wed, 06 Oct 2010 09:07:05 +0200")
Message-ID: <tslfwwjlcge.fsf@live.suchdamage.org>
MIME-Version: 1.0
Cc: krbdev@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
First read the IETF draft-ietf-krb-wg-preauth-framework.
If you are doing a multi-round-trip mechanism you almost certainly want
to make it be a FAST factor.
On the client, it's relatively easy. There is an opaque state that is
passed from mechanism to mechanism.
All you'd need to do is implement support for
KDC_ERR_MORE_PREAUTH_DATA_NEEDED in .
On the KDC side it's more complicated. Currently, the constant cookie
MIT is sent in order to keep a conversation alive. You'll need to
provide a facility so that a preauth method can give information to the
KDC to be serialized into the cookie.
You'll also need to add handling for KDC_ERR_MORE_PREAUTH_DATA_NEEDED to
the KDC.
so, you'll potentially need to touch kdc/kdc_preauth.c, kdc/fast_util.c,
lib/krb5/krb/get_in_tkt.c, lib/krb5/krb/kdc_preauth.c.
Especially on the KDC side you'll need to expand the preauth plugin
interface.
There are some older mechanisms that use KDC_ERR_PREAUTH_REQUIRED for
multi-round-trip methods. I'd recommend against that approach for
anything new even though it seems like it may be easier.
--Sam
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
