preauth plugin configuration issues

Sam Hartman hartmans at MIT.EDU
Sat Mar 3 13:58:27 EST 2007

>>>>> "Nicolas" == Nicolas Williams <Nicolas.Williams at> writes:

    Nicolas> On Fri, Mar 02, 2007 at 03:28:11PM -0500, Kevin Coffman
    Nicolas> wrote:
    >> >I don't understand -- why does having a pre-auth plug-in
    >> _loaded_ mean >that it must be properly configured?
    >> The current code has no notion of a per-realm list of preauth
    >> methods.  If a preuth module is loaded (and returns
    >> successfully from the plugin init function), it is assumed to
    >> be valid for all realms served.  This means that the KDC will
    >> return pkinit as a supported preauth type to all clients in all
    >> realms even if a particular realm is not configured correctly
    >> for pkinit.

    Nicolas> For such realms the KDC will not be able to authenticate
    Nicolas> to the client and the client will give up on PKINIT.
    Nicolas> Painful, but not clearly wrong.

I'm not sure that's true.

More information about the krbdev mailing list