Implementing preauthentication using loadable modules

Kevin Coffman kwc at
Thu Sep 28 16:36:58 EDT 2006

Hello Nalin,
This appears to be a very nice implementation of the preauth plugin.
As Jim mentioned, we are working on a pkinit implementation.  We'd
very much like to work with you (and anyone else) to join forces and
eliminate any duplication of effort on this.  A bit of information on
our project can be found here:


On 9/26/06, Nalin Dahyabhai <nalin at> wrote:
> Hello everyone, I've been working on getting libkrb5 and krb5kdc able to
> use modules to implement preauthentication, and have gotten to a point
> where there's a largish patch which I think puts abstraction points in
> most of the right places.
> Why use a loadable module instead of directly patching in new
> functionality?  My thinking is that certain means of preauthentication
> (okay, PKINIT primarily) are likely to depend on external libraries, and
> using modules
> a) removes the need to keep krb5-config's --libs output up to date with
>    the right dependency information
> b) shields applications which never obtain initial credentials from
>    new dependencies and bigger memory footprints
> c) if the module interface is stable enough, heavily-in-development
>    modules can be built out-of-tree
> I've put a proposed patch which implements a module interface, and
> provides a couple of sample modules which use it, at
> and would
> like to hear what people think.
> Thanks,
> Nalin
> _______________________________________________
> krbdev mailing list             krbdev at

More information about the krbdev mailing list