Proper way to do logging (KDC) from preauth plugin?
Greg Hudson
ghudson at MIT.EDU
Wed Apr 21 23:18:27 EDT 2010
On Wed, 2010-04-21 at 22:32 -0400, Jeff Blaine wrote:
> kdc_verify_preauth() is never called according to this
> (not for my plugin or any other):
Here's what's expected to happen:
* kinit sends an AS request with no preauth information.
* The KDC sees the requires_preauth flag on the principal and returns an
error with a list of possible preauth mechanisms (consulting each
module's get_edata method). The code path here is process_as_req()
calling missing_required_preauth(), receiving a non-null status, and
then calling get_preauth_hint_list().
* kinit processes the hint list, possibly asking for the user's password
or PIN.
* kinit sends another AS request with preauthentication.
* process_as_req() calls check_padata() to validate the
preauthentication. The modules which handle the preauthentication types
in the packet have their verify_padata methods invoked, until one
succeeds which is deemed "sufficient."
More information about the krbdev
mailing list