preauth plugin configuration issues
Sam Hartman
hartmans at MIT.EDU
Sat Mar 3 13:58:27 EST 2007
>>>>> "Nicolas" == Nicolas Williams <Nicolas.Williams at sun.com> writes:
Nicolas> On Fri, Mar 02, 2007 at 03:28:11PM -0500, Kevin Coffman
Nicolas> wrote:
>> >I don't understand -- why does having a pre-auth plug-in
>> _loaded_ mean >that it must be properly configured?
>>
>> The current code has no notion of a per-realm list of preauth
>> methods. If a preuth module is loaded (and returns
>> successfully from the plugin init function), it is assumed to
>> be valid for all realms served. This means that the KDC will
>> return pkinit as a supported preauth type to all clients in all
>> realms even if a particular realm is not configured correctly
>> for pkinit.
Nicolas> For such realms the KDC will not be able to authenticate
Nicolas> to the client and the client will give up on PKINIT.
Nicolas> Painful, but not clearly wrong.
I'm not sure that's true.
More information about the krbdev
mailing list