Implementing preauthentication using loadable modules

Nalin Dahyabhai nalin at
Tue Sep 26 17:10:38 EDT 2006

Hello everyone, I've been working on getting libkrb5 and krb5kdc able to
use modules to implement preauthentication, and have gotten to a point
where there's a largish patch which I think puts abstraction points in
most of the right places.

Why use a loadable module instead of directly patching in new
functionality?  My thinking is that certain means of preauthentication
(okay, PKINIT primarily) are likely to depend on external libraries, and
using modules
a) removes the need to keep krb5-config's --libs output up to date with
   the right dependency information
b) shields applications which never obtain initial credentials from
   new dependencies and bigger memory footprints
c) if the module interface is stable enough, heavily-in-development
   modules can be built out-of-tree

I've put a proposed patch which implements a module interface, and
provides a couple of sample modules which use it, at and would
like to hear what people think.



More information about the krbdev mailing list