Implementing preauthentication using loadable modules
kwc at citi.umich.edu
Fri Sep 29 15:30:50 EDT 2006
Something else I'd like to see added is a module initialization and
cleanup (init/fini) function as is defined for the other module
interfaces. We found this convenient to do required openssl
On 9/29/06, Sam Hartman <hartmans at mit.edu> wrote:
> Based on discussion yesterday, we're going to try and pull this patch
> into MIT Kerberos.
> We are probably not going to install the plugin header as an API for
> 1.6; we want a version or two to work out interface bugs before
> committing to the interface.
> I think that there are a few things your plugin interface is missing
> that you'll want to fix in order for it to be useful for pkinit.
> These are not bugs in your patch; jut deficiencies in the underlying
> code. I don't see any of these as blockers for integrating your
> ptach, but I do see them as challenges for pkinit.
> * You need a way to get access to the DER encoding of the request body in the KDC. That's going to be challenging from an ASN.1 library standpoint. I guess you need this on the client too.
> * Currently there is no way from within the client preauth code to
> find out what the enctype in which the encrypted part of the as_req
> is encrypted is. The client preauth tracks an enctype to use for
> string2key but that's different.
> Sam Hartman
> Manager, MIT Kerberos Team
> krbdev mailing list krbdev at mit.edu
More information about the krbdev