Adding of name-value pair in PADATA field of KRB5_AS_REQ

[Gopal Paliwal]

Hi,
I wish to perform different types of preauth-mechanism for different users.
THe implementation will be such that, some users will be authenticated
through the normal password encrypted timestamp, some users will be
authenticated through the OTP based mechanism whereas some users will
require both types of pre-authentication.
I suppose that the kerberos by default supports the password-encrypted
timestamp because when we do modprinc +requires_preauth priciple, it
automatically activates the password-encrypted timestamp feature for that
particular user and it doesn't give us any option as of now to specify which
type of authentication is needed. Is there any way where we can specify
different preauth mechanisms for the different users.

I further wish to know how flexible it is to use the PADATA field in
KRB5_AS_REQ to send the multiple sequence of preauth type-value pairs. For
ex. one sequence of sending type(value) pair is PA_ENC_TIMESTAMP(value of
passwd encrypted timestamp) and the other type(value) pair in the same
request will be lets say PA_ENC_OTP(value of OTP encrypted timestamp).
Authentication server will do the client look up and from the preauth
mechanism set for that particular user, it will generate proper
preauth-error.

Also, i wish to know whether authentication server uses LDAP or DB for
storing principal names and attributes by default.


Thanks,
gopal