preauth plugin configuration issues

Kevin Coffman kwc at
Fri Mar 2 13:50:09 EST 2007

I'm modifying the pkinit KDC plugin code to allow for per-realm
configuration so that it can support KDCs that service multiple

This has uncovered a more general issue.  The KDC's preauth list is
global.  It has never had the notion of preauth types being supported
on a per-realm basis.  If a KDC is to service five realms, but only
one is configured to handle pkinit, there is currently no support to
deal with this.

Therefore, either all the realms for a KDC support pkinit or none can.
 (Each realm can  have a distinct pkinit configuration.)  Is this a
reasonable limitation?


More information about the krbdev mailing list