preauth plugin configuration issues
kwc at citi.umich.edu
Tue Mar 6 09:52:26 EST 2007
On 3/3/07, Nalin Dahyabhai <nalin at redhat.com> wrote:
> On Fri, Mar 02, 2007 at 03:28:11PM -0500, Kevin Coffman wrote:
> > The current code has no notion of a per-realm list of preauth methods.
> > If a preuth module is loaded (and returns successfully from the
> > plugin init function), it is assumed to be valid for all realms
> > served. This means that the KDC will return pkinit as a supported
> > preauth type to all clients in all realms even if a particular realm
> > is not configured correctly for pkinit.
> Unless I'm mistaken, that'll only happen if the module always returns
> successfully from its edata_proc callback. A pkinit module could first
> verify that it has a KDC certificate for the appropriate realm, and
> return an error code if it didn't find one. The KDC would then refrain
> from adding the preauth type to its hints list.
I've verified that this is true. I modified the kdc pkinit functions
to obtain the per-realm context first thing. If there isn't a context
for the given realm (because of configuration issues), the edata_proc
returns non-zero and pkinit is not in the list of preauth types
returned to the client.
The per-realm context support required a change to the plugin init
function in the kdc's preauth plugin interface to supply a list of
realms that should be supported.
I'll be migrating these changes into the pkinit branch in subversion soon.
More information about the krbdev