issue with preauth processing
Will Fiveash
William.Fiveash at sun.com
Fri Oct 23 17:50:35 EDT 2009
On Fri, Oct 23, 2009 at 04:48:58PM -0400, Sam Hartman wrote:
> The preauth framework strongly encourages implementations to take
> optimistic pre-auth as a hint. If you try some pre-auth and get a
> PREAUTH_REQUIRED or PREAUTH_FAILED error, then you should take that as
> the KDC requesting you start over. Now, if that second round fails,
> you should probably give up.
But consider pam_krb5 and prompting. There may be situations where
pam_krb5 wants to restrict libkrb and it's preauth plugins to only
PKINIT and it's associated prompts. How can that be done?
> Basically, the question is whether we take that gic option call as an
> optimization or security constraint. Most people who have used it in
> the past have been looking for an optimization.
In the case of setting the preauth list why can't it be both?
--
Will Fiveash
Sun Microsystems Inc.
http://opensolaris.org/os/project/kerberos/
Sent from mutt, a sweet ASCII MUA
More information about the krbdev
mailing list