preauth plugin configuration issues
hartmans at MIT.EDU
Sat Mar 3 13:59:35 EST 2007
>>>>> "Nalin" == Nalin Dahyabhai <nalin at redhat.com> writes:
Nalin> I think you're right that the part of the KDC which
Nalin> verifies the client's preauth data doesn't handle cases
Nalin> where more than one module would want to attempt to verify
Nalin> preauth data of a particular type. Currently the KDC just
Nalin> calls into the first module which advertised that it might
Nalin> be able to verify the data, and if the module returns a
Nalin> failure code, moves on to verifying the next piece of
Nalin> preauthentication data.
Nalin> Changing it to try every module, allowing any module which
Nalin> could verify the advertised type to assert that the
Nalin> client's data was good, could be a little tricky.
I'm also not convinced this would be a good idea.
More information about the krbdev