preauth code questions

Jeff Blaine jblaine at
Thu Apr 22 12:08:21 EDT 2010

On 4/22/2010 2:45 AM, Luke Howard wrote:
> On 22/04/2010, at 2:32 AM, Jeff Blaine wrote:
>>>> * Is the client's IP address available in a preauth plugin?
>>> It doesn't look like it.
>> My KDC preauth plugin wants to connect back to a service on
>> the client host.
>> So I guess I'm screwed as far as making this a KDC-side-only
>> plugin?
> How about tunnelling the data in the KDC reply and having
 > the client send to the client-side service?

Hi Luke,

The goal is to make this KDC-only code and not require anything
new from clients Kerberos-wise (see "screwed" comment above :))

If there's no way to get the client IP address from within a
KDC-side preauth plugin (which would really be a bummer), the
whole logic will change to a 'standard' model of preauth where
the client will need to present the data in its reply (after
querying the client-side service in question).

More information about the krbdev mailing list