pam_krb5 with PKINIT from Heimdal and MIT

Nicolas Williams Nicolas.Williams at
Thu Oct 12 17:13:06 EDT 2006

On Thu, Oct 12, 2006 at 04:12:42PM -0400, Nalin Dahyabhai wrote:
> The libkrb5 side of things goes through the list of preauth types
> suggested by the KDC, and the first preauth type for which it's able to
> obtain data is deemed good enough to fire off a request to the KDC.

In what order are the pre-auths attempted?

If we agree that PADATA should be considered to be unordered then a
client-side pre-auth preference/precedence order seems necessary.


More information about the krbdev mailing list