preauth code questions
Jeff Blaine
jblaine at kickflop.net
Thu Apr 22 12:08:21 EDT 2010
On 4/22/2010 2:45 AM, Luke Howard wrote:
> On 22/04/2010, at 2:32 AM, Jeff Blaine wrote:
>>>> * Is the client's IP address available in a preauth plugin?
>>>
>>> It doesn't look like it.
>>
>> My KDC preauth plugin wants to connect back to a service on
>> the client host.
>>
>> So I guess I'm screwed as far as making this a KDC-side-only
>> plugin?
>
> How about tunnelling the data in the KDC reply and having
> the client send to the client-side service?
Hi Luke,
The goal is to make this KDC-only code and not require anything
new from clients Kerberos-wise (see "screwed" comment above :))
If there's no way to get the client IP address from within a
KDC-side preauth plugin (which would really be a bummer), the
whole logic will change to a 'standard' model of preauth where
the client will need to present the data in its reply (after
querying the client-side service in question).
More information about the krbdev
mailing list