preauth plugin configuration issues

[Nicolas Williams]

On Fri, Mar 02, 2007 at 03:28:11PM -0500, Kevin Coffman wrote:
> >I don't understand -- why does having a pre-auth plug-in _loaded_ mean
> >that it must be properly configured?
> 
> The current code has no notion of a per-realm list of preauth methods.
> If a preuth module is loaded (and returns successfully from the
> plugin init function), it is assumed to be valid for all realms
> served.  This means that the KDC will return pkinit as a supported
> preauth type to all clients in all realms even if a particular realm
> is not configured correctly for pkinit.

For such realms the KDC will not be able to authenticate to the client
and the client will give up on PKINIT.  Painful, but not clearly wrong.

> I can complicate the pkinit initialization to keep track of which
> realms are properly configured.  Then return appropriately when called
> for a request in a realm not supported.  However, it seems as though
> this complication really belongs in the KDC preauth code instead of
> each plugin.

But you'd have to have the plug-in be aware of each realm's
configuration anyways.

Nico
--