issue with preauth processing
Sam Hartman
hartmans at MIT.EDU
Mon Oct 26 14:39:26 EDT 2009
>>>>> "Will" == Will Fiveash <William.Fiveash at sun.com> writes:
Will> On Fri, Oct 23, 2009 at 04:48:58PM -0400, Sam Hartman wrote:
>> The preauth framework strongly encourages implementations to
>> take optimistic pre-auth as a hint. If you try some pre-auth
>> and get a PREAUTH_REQUIRED or PREAUTH_FAILED error, then you
>> should take that as the KDC requesting you start over. Now, if
>> that second round fails, you should probably give up.
Will> But consider pam_krb5 and prompting. There may be
Will> situations where pam_krb5 wants to restrict libkrb and it's
Will> preauth plugins to only PKINIT and it's associated prompts.
Will> How can that be done?
I don't think we have an API for that today. (I'm also not entirely
convinced that libpam-krb5 should do this.) I do think such an API
would be reasonable in some cases--for example the s4u case.
More information about the krbdev
mailing list