Implementing preauthentication using loadable modules
Nalin Dahyabhai
nalin at redhat.com
Tue Sep 26 17:10:38 EDT 2006
Hello everyone, I've been working on getting libkrb5 and krb5kdc able to
use modules to implement preauthentication, and have gotten to a point
where there's a largish patch which I think puts abstraction points in
most of the right places.
Why use a loadable module instead of directly patching in new
functionality? My thinking is that certain means of preauthentication
(okay, PKINIT primarily) are likely to depend on external libraries, and
using modules
a) removes the need to keep krb5-config's --libs output up to date with
the right dependency information
b) shields applications which never obtain initial credentials from
new dependencies and bigger memory footprints
c) if the module interface is stable enough, heavily-in-development
modules can be built out-of-tree
I've put a proposed patch which implements a module interface, and
provides a couple of sample modules which use it, at
http://people.redhat.com/nalin/krb5-pal/trunk.diff.20060926 and would
like to hear what people think.
Thanks,
Nalin
More information about the krbdev
mailing list