preauth plugin configuration issues
Nicolas.Williams at sun.com
Fri Mar 2 14:36:43 EST 2007
On Fri, Mar 02, 2007 at 01:50:09PM -0500, Kevin Coffman wrote:
> I'm modifying the pkinit KDC plugin code to allow for per-realm
> configuration so that it can support KDCs that service multiple
IIRC MIT doesn't support more than one real per-KDC, in particular
because kadmind doesn't.
> This has uncovered a more general issue. The KDC's preauth list is
> global. It has never had the notion of preauth types being supported
> on a per-realm basis. If a KDC is to service five realms, but only
> one is configured to handle pkinit, there is currently no support to
> deal with this.
I don't understand -- why does having a pre-auth plug-in _loaded_ mean
that it must be properly configured?
> Therefore, either all the realms for a KDC support pkinit or none can.
> (Each realm can have a distinct pkinit configuration.) Is this a
> reasonable limitation?
I think it's reasonable to say that all realms server by a multi-realm
KDC must have the same plugins loaded, but not all need to have
meaningful configurations for all those realms.
More information about the krbdev