pam_krb5 with PKINIT from Heimdal and MIT

Nalin Dahyabhai nalin at
Thu Oct 12 18:20:34 EDT 2006

On Thu, Oct 12, 2006 at 04:13:06PM -0500, Nicolas Williams wrote:
> On Thu, Oct 12, 2006 at 04:12:42PM -0400, Nalin Dahyabhai wrote:
> > The libkrb5 side of things goes through the list of preauth types
> > suggested by the KDC, and the first preauth type for which it's able to
> > obtain data is deemed good enough to fire off a request to the KDC.
> In what order are the pre-auths attempted?

Traditionally, it was the order in which they were listed in the e-data
accompanying the preauth-required error from the KDC.

> If we agree that PADATA should be considered to be unordered then a
> client-side pre-auth preference/precedence order seems necessary.

Agreed.  The recent changes added a libdefaults configuration option
("preferred_preauth_types") which bubbles specified types to the front
of the KDC-supplied list, with the default value for that option to make
libkrb5 prefer the pkinit preauth types ("17, 16, 15, 14").

The result is that if a KDC advertises that it implements pkinit, and a
module is loaded which can supply pkinit preauth data, it gets used.


More information about the krbdev mailing list