issue with preauth processing

Sam Hartman hartmans at MIT.EDU
Mon Oct 26 14:39:26 EDT 2009

>>>>> "Will" == Will Fiveash <William.Fiveash at> writes:

    Will> On Fri, Oct 23, 2009 at 04:48:58PM -0400, Sam Hartman wrote:
    >> The preauth framework strongly encourages implementations to
    >> take optimistic pre-auth as a hint.  If you try some pre-auth
    >> and get a PREAUTH_REQUIRED or PREAUTH_FAILED error, then you
    >> should take that as the KDC requesting you start over.  Now, if
    >> that second round fails, you should probably give up.

    Will> But consider pam_krb5 and prompting.  There may be
    Will> situations where pam_krb5 wants to restrict libkrb and it's
    Will> preauth plugins to only PKINIT and it's associated prompts.
    Will> How can that be done?

I don't think we have an API for that today.  (I'm also not entirely
convinced that libpam-krb5 should do this.)  I do think such an API
would be reasonable in some cases--for example the s4u case.

More information about the krbdev mailing list