pam_krb5 with PKINIT from Heimdal and MIT

[Nicolas Williams]

On Thu, Oct 12, 2006 at 04:12:42PM -0400, Nalin Dahyabhai wrote:
> The libkrb5 side of things goes through the list of preauth types
> suggested by the KDC, and the first preauth type for which it's able to
> obtain data is deemed good enough to fire off a request to the KDC.

In what order are the pre-auths attempted?

If we agree that PADATA should be considered to be unordered then a
client-side pre-auth preference/precedence order seems necessary.

Nico
--