Proper way to do logging (KDC) from preauth plugin?

Jeff Blaine jblaine at
Thu Apr 22 23:59:27 EDT 2010

On 4/22/2010 1:57 PM, Greg Hudson wrote:
> On Thu, 2010-04-22 at 11:59 -0400, Jeff Blaine wrote:
>> Any advice?  This preauth plugin must be called and
>> must succeed.
> I see.  What you want is for your plugin to be invoked at preauth
> verification time even though the client doesn't have any understanding
> of your mechanism (because it happens out of band).  Unfortunately, I
> don't think that kind of use is currently envisioned by the preauth
> framework.

Okay, so the KDC-only preauth method is a wash for what we wanted.
Fair enough.

 From what I gather of your previous message, it is not possible
to indicate a 'required' preauth plugin.  Is that also correct?

> The modules which handle the preauthentication types
> in the packet have their verify_padata methods invoked, until
 > one succeeds which is deemed "sufficient."

More information about the krbdev mailing list