preauth plugin configuration issues

[Kevin Coffman]

On 3/2/07, Nicolas Williams <Nicolas.Williams at sun.com> wrote:
> On Fri, Mar 02, 2007 at 01:50:09PM -0500, Kevin Coffman wrote:
> > I'm modifying the pkinit KDC plugin code to allow for per-realm
> > configuration so that it can support KDCs that service multiple
> > realms.
>
> IIRC MIT doesn't support more than one real per-KDC, in particular
> because kadmind doesn't.
>
> > This has uncovered a more general issue.  The KDC's preauth list is
> > global.  It has never had the notion of preauth types being supported
> > on a per-realm basis.  If a KDC is to service five realms, but only
> > one is configured to handle pkinit, there is currently no support to
> > deal with this.
>
> I don't understand -- why does having a pre-auth plug-in _loaded_ mean
> that it must be properly configured?

The current code has no notion of a per-realm list of preauth methods.
 If a preuth module is loaded (and returns successfully from the
plugin init function), it is assumed to be valid for all realms
served.  This means that the KDC will return pkinit as a supported
preauth type to all clients in all realms even if a particular realm
is not configured correctly for pkinit.

I can complicate the pkinit initialization to keep track of which
realms are properly configured.  Then return appropriately when called
for a request in a realm not supported.  However, it seems as though
this complication really belongs in the KDC preauth code instead of
each plugin.


> > Therefore, either all the realms for a KDC support pkinit or none can.
> >  (Each realm can  have a distinct pkinit configuration.)  Is this a
> > reasonable limitation?
>
> I think it's reasonable to say that all realms server by a multi-realm
> KDC must have the same plugins loaded, but not all need to have
> meaningful configurations for all those realms.
>
> Nico
> --