preauth plugin configuration issues
nalin at redhat.com
Sat Mar 3 13:34:40 EST 2007
On Fri, Mar 02, 2007 at 03:28:11PM -0500, Kevin Coffman wrote:
> The current code has no notion of a per-realm list of preauth methods.
> If a preuth module is loaded (and returns successfully from the
> plugin init function), it is assumed to be valid for all realms
> served. This means that the KDC will return pkinit as a supported
> preauth type to all clients in all realms even if a particular realm
> is not configured correctly for pkinit.
Unless I'm mistaken, that'll only happen if the module always returns
successfully from its edata_proc callback. A pkinit module could first
verify that it has a KDC certificate for the appropriate realm, and
return an error code if it didn't find one. The KDC would then refrain
from adding the preauth type to its hints list.
I think you're right that the part of the KDC which verifies the
client's preauth data doesn't handle cases where more than one module
would want to attempt to verify preauth data of a particular type.
Currently the KDC just calls into the first module which advertised that
it might be able to verify the data, and if the module returns a failure
code, moves on to verifying the next piece of preauthentication data.
Changing it to try every module, allowing any module which could verify
the advertised type to assert that the client's data was good, could be
a little tricky.
More information about the krbdev