Implementing preauthentication using loadable modules

Sam Hartman hartmans at MIT.EDU
Fri Sep 29 14:57:39 EDT 2006


Based on discussion yesterday, we're going to try and pull this patch
into MIT Kerberos.

We are probably not going to install the plugin header as an API for
1.6; we want a version or two to work out interface bugs before
committing to the interface.

I think that there are a few things your plugin interface is missing
that you'll want to fix in order for it to be useful for pkinit.
These are not bugs in your patch; jut deficiencies in the underlying
code.  I don't see any of these as blockers for integrating your
ptach, but I do see them as challenges for pkinit.

* You need a way to get access to the DER encoding of the request body in the KDC.  That's going to be challenging from an ASN.1 library standpoint.  I guess you need this on the client too.

* Currently there is no way from within the client preauth code to
  find out what the enctype in which the encrypted part of the as_req
  is encrypted is.  The client preauth tracks an enctype to use for
  string2key but that's different.

Sam Hartman
Manager, MIT Kerberos Team

More information about the krbdev mailing list