preauth plugin configuration issues
Kevin Coffman
kwc at citi.umich.edu
Fri Mar 2 13:50:09 EST 2007
I'm modifying the pkinit KDC plugin code to allow for per-realm
configuration so that it can support KDCs that service multiple
realms.
This has uncovered a more general issue. The KDC's preauth list is
global. It has never had the notion of preauth types being supported
on a per-realm basis. If a KDC is to service five realms, but only
one is configured to handle pkinit, there is currently no support to
deal with this.
Therefore, either all the realms for a KDC support pkinit or none can.
(Each realm can have a distinct pkinit configuration.) Is this a
reasonable limitation?
K.C.
More information about the krbdev
mailing list