preauth plugin configuration issues

[Sam Hartman]

>>>>> "Nalin" == Nalin Dahyabhai <nalin at redhat.com> writes:

    Nalin> I think you're right that the part of the KDC which
    Nalin> verifies the client's preauth data doesn't handle cases
    Nalin> where more than one module would want to attempt to verify
    Nalin> preauth data of a particular type.  Currently the KDC just
    Nalin> calls into the first module which advertised that it might
    Nalin> be able to verify the data, and if the module returns a
    Nalin> failure code, moves on to verifying the next piece of
    Nalin> preauthentication data.

    Nalin> Changing it to try every module, allowing any module which
    Nalin> could verify the advertised type to assert that the
    Nalin> client's data was good, could be a little tricky.

I'm also not convinced this would be a good idea.