issue with preauth processing

Will Fiveash William.Fiveash at
Fri Oct 23 17:50:35 EDT 2009

On Fri, Oct 23, 2009 at 04:48:58PM -0400, Sam Hartman wrote:
> The preauth framework strongly encourages implementations to take
> optimistic pre-auth as a hint.  If you try some pre-auth and get a
> PREAUTH_REQUIRED or PREAUTH_FAILED error, then you should take that as
> the KDC requesting you start over.  Now, if that second round fails,
> you should probably give up.

But consider pam_krb5 and prompting.  There may be situations where
pam_krb5 wants to restrict libkrb and it's preauth plugins to only
PKINIT and it's associated prompts.  How can that be done?

> Basically, the question is whether we take that gic option call as an
> optimization or security constraint.  Most people who have used it in
> the past have been looking for an optimization.

In the case of setting the preauth list why can't it be both?

Will Fiveash
Sun Microsystems Inc.
Sent from mutt, a sweet ASCII MUA

More information about the krbdev mailing list