Proper way to do logging (KDC) from preauth plugin?
Jeff Blaine
jblaine at kickflop.net
Thu Apr 22 11:59:31 EDT 2010
I have 1 plugin installed (mine). It is never referenced
from what I can see stepping through gdb once a break
is hit on check_padata(). I did that just now based on
your reply.
From what I can gather then, the non-plugin preauth
mech is working (verify_enc_timestamp() is called
and I have no plugin for enc challenge), so my plugin
is not referenced. Does that sound like a reasonable
evaluation?
Any advice? This preauth plugin must be called and
must succeed.
Thanks for the guidance so far. Once I make some progress
(or I suppose even if I don't...), I'll update the wiki
with some notes from this exchange so the next person
has *something* to reference other than comment-less
source code :)
On 4/21/2010 11:18 PM, Greg Hudson wrote:
> On Wed, 2010-04-21 at 22:32 -0400, Jeff Blaine wrote:
>> kdc_verify_preauth() is never called according to this
>> (not for my plugin or any other):
>
> Here's what's expected to happen:
>
> * kinit sends an AS request with no preauth information.
>
> * The KDC sees the requires_preauth flag on the principal and returns an
> error with a list of possible preauth mechanisms (consulting each
> module's get_edata method). The code path here is process_as_req()
> calling missing_required_preauth(), receiving a non-null status, and
> then calling get_preauth_hint_list().
>
> * kinit processes the hint list, possibly asking for the user's password
> or PIN.
>
> * kinit sends another AS request with preauthentication.
>
> * process_as_req() calls check_padata() to validate the
> preauthentication. The modules which handle the preauthentication types
> in the packet have their verify_padata methods invoked, until one
> succeeds which is deemed "sufficient."
>
>
>
More information about the krbdev
mailing list