Adding support for optimistic preauth to kinit
Ken Hornstein
kenh at cmf.nrl.navy.mil
Sat Apr 3 20:09:06 EDT 2021
So during some recent testing, I realized that there is one bit of
functionality in kinit that is missing; the ability to set the optimistic
preauth list. By this, I mean a list of preauthentication types to try
first instead of falling back to a list based on the list from the
"preauth required" error code.
Why would you want to do this? Well, here's what we use that for:
- We have users that have a hardware preauth configured, but not required.
This allows them to use their password to access a subset of site
resources but optionally use their hardware token to access resources that
require the extra security of a hardware token.
- We have users that have multiple tokens configured (typically this is
a smartcard that is used with PKINIT and a one-time token that uses SAM2).
There are a number of times where you might want to use one or the
other (if one is non-functional, or you can't use a smartcard driver).
>From an architectural standpoint, the hard work is already done; the
library supports this via an already-exposed API in the get_init_creds
interface (krb5_get_init_creds_opt_set_preauth_list()). It's just
that kinit has no way to set this list.
What I was thinking was a new flag lets you add preauth types to the
optimistic preauth list. I'm not sure what letter makes sense as a lot
are already taken. Maybe -U? I have no preference here. What this
would look like would be:
% kinit -U pkinit -U sam2 -U 191 user at REALM
The idea here being you could pick from a small list of symbolic
names of preauth types, and if that wasn't sufficient you could add
a number to capture future types. You could add multiple options to
have multiple entries in the preauth list. I think this is relatively
straightforward to implement; what do people think of this idea? I'd be
glad to submit the code for it.
--Ken
More information about the krbdev
mailing list