preauth plugin configuration issues

Kevin Coffman kwc at
Tue Mar 6 09:52:26 EST 2007

On 3/3/07, Nalin Dahyabhai <nalin at> wrote:
> On Fri, Mar 02, 2007 at 03:28:11PM -0500, Kevin Coffman wrote:
> > The current code has no notion of a per-realm list of preauth methods.
> > If a preuth module is loaded (and returns successfully from the
> > plugin init function), it is assumed to be valid for all realms
> > served.  This means that the KDC will return pkinit as a supported
> > preauth type to all clients in all realms even if a particular realm
> > is not configured correctly for pkinit.
> Unless I'm mistaken, that'll only happen if the module always returns
> successfully from its edata_proc callback.  A pkinit module could first
> verify that it has a KDC certificate for the appropriate realm, and
> return an error code if it didn't find one.  The KDC would then refrain
> from adding the preauth type to its hints list.

Thanks Nalin,
I've verified that this is true.  I modified the kdc pkinit functions
to obtain the per-realm context first thing.  If there isn't a context
for the given realm (because of configuration issues), the edata_proc
returns non-zero and pkinit is not in the list of preauth types
returned to the client.

The per-realm context support required a change to the plugin init
function in the kdc's preauth plugin interface to supply a list of
realms that should be supported.

I'll be migrating these changes into the pkinit branch in subversion soon.


More information about the krbdev mailing list