Proper way to do logging (KDC) from preauth plugin?
Jeff Blaine
jblaine at kickflop.net
Thu Apr 22 23:59:27 EDT 2010
On 4/22/2010 1:57 PM, Greg Hudson wrote:
> On Thu, 2010-04-22 at 11:59 -0400, Jeff Blaine wrote:
>> Any advice? This preauth plugin must be called and
>> must succeed.
>
> I see. What you want is for your plugin to be invoked at preauth
> verification time even though the client doesn't have any understanding
> of your mechanism (because it happens out of band). Unfortunately, I
> don't think that kind of use is currently envisioned by the preauth
> framework.
Okay, so the KDC-only preauth method is a wash for what we wanted.
Fair enough.
From what I gather of your previous message, it is not possible
to indicate a 'required' preauth plugin. Is that also correct?
> The modules which handle the preauthentication types
> in the packet have their verify_padata methods invoked, until
> one succeeds which is deemed "sufficient."
More information about the krbdev
mailing list