preauth plugin configuration issues

Nicolas Williams Nicolas.Williams at
Fri Mar 2 14:36:43 EST 2007

On Fri, Mar 02, 2007 at 01:50:09PM -0500, Kevin Coffman wrote:
> I'm modifying the pkinit KDC plugin code to allow for per-realm
> configuration so that it can support KDCs that service multiple
> realms.

IIRC MIT doesn't support more than one real per-KDC, in particular
because kadmind doesn't.

> This has uncovered a more general issue.  The KDC's preauth list is
> global.  It has never had the notion of preauth types being supported
> on a per-realm basis.  If a KDC is to service five realms, but only
> one is configured to handle pkinit, there is currently no support to
> deal with this.

I don't understand -- why does having a pre-auth plug-in _loaded_ mean
that it must be properly configured?

> Therefore, either all the realms for a KDC support pkinit or none can.
>  (Each realm can  have a distinct pkinit configuration.)  Is this a
> reasonable limitation?

I think it's reasonable to say that all realms server by a multi-realm
KDC must have the same plugins loaded, but not all need to have
meaningful configurations for all those realms.


More information about the krbdev mailing list