[krbdev.mit.edu #6430] If we fail to generate preauth, don't loop
Sam Hartman via RT
rt-comment at krbdev.mit.edu
Tue Oct 13 12:26:21 EDT 2009
Greg, a couple of points. First, you do have code to track whether a
module has been used in the plugin path, but not in the internal
preauth system path. ( I assumed it was in both places). So, for
plugins, keeping track of whether you've already given up on a plugin
is relatively easy.
You do actually support optimistic preauth. There is both a config
parameter and a get_init_creds option to set the list of preauth types
to optimistically try. I think a reasonable medium-term fix for this
issue would be to treat preauth_failed as preauth_required in the
optimistic case but not in other cases. Long term, it would perhaps
be more correct to treat preauth_failed as preauth_required once you
had a mechanism for keeping track of preauth state better. Perhaps
getting rid of separate dispatch for built-in and plugins and simply
synthesizing plugin state for the built-in mechanisms would be a good
(post 1.8) wishlist item.
--Sam
More information about the krb5-bugs
mailing list