Comments on the use of plugins
Douglas E. Engert
deengert at anl.gov
Fri Jun 15 10:31:14 EDT 2007
While testing the PKINIT code from the svn, I ran into some issues with plugins.
o The location of the plugin directory is absolute set from
LIBDIR /krb5/plugins/preauth/ This can not be overridden
from krb5.conf, a parameter or the ENV. I had to reconfigure
with a --prefix=/krb5m then add a /krb5m-> /afs/anl.gov/....
For production, there needs to be a way to specify an
alternate location, maybe from krb5.conf, or at least from
a KRB5_* env variable.
o The krb5int_open_plugin_dirs() when loading the plugin pkinit.so,
managed to find the /usr/sfw/lib/libcrypto.so.0.9.7 provided by
Solaris 10. PKCS7_set0_type_other was needed and is not in 0.9.7.
I think this is an -rpath or dlopen issue.
I got around this and used openssl-0.9.8 by adding a -L/path..
and -Rpath... to the Makefile for pkinit.so
o No message was produced indicating that pkinit.so failed to load.
I had to use gdb to find in util/support/plugins.c:108
where Tprintf creates a dlopen error message. Even though
ep points at the error message, krb5init_open_plugin_dirs
The krb5_context->err still has the error message
even after returning to kinit.c, which then tries to do
password authentication. (I ^C'ed out of the password prompt).
The message is still in context->err->scratch_buff, behind a
msg for "can't resolve KDC for realm ANL.GOV." Neither of which
There may be preauth error messages that can be ignored, and
messages that should be printed. IMHO failure to load should
be reported to the user. If the failure is always expected, then
the plugin should not be installed in the plugin directory.
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
More information about the krbdev