Proper way to do logging (KDC) from preauth plugin?

Greg Hudson ghudson at MIT.EDU
Wed Apr 21 23:18:27 EDT 2010

On Wed, 2010-04-21 at 22:32 -0400, Jeff Blaine wrote:
> kdc_verify_preauth() is never called according to this
> (not for my plugin or any other):

Here's what's expected to happen:

* kinit sends an AS request with no preauth information.

* The KDC sees the requires_preauth flag on the principal and returns an
error with a list of possible preauth mechanisms (consulting each
module's get_edata method).  The code path here is process_as_req()
calling missing_required_preauth(), receiving a non-null status, and
then calling get_preauth_hint_list().

* kinit processes the hint list, possibly asking for the user's password
or PIN.

* kinit sends another AS request with preauthentication.

* process_as_req() calls check_padata() to validate the
preauthentication.  The modules which handle the preauthentication types
in the packet have their verify_padata methods invoked, until one
succeeds which is deemed "sufficient."

More information about the krbdev mailing list