Proper way to do logging (KDC) from preauth plugin?

Jeff Blaine jblaine at
Fri Apr 23 12:19:21 EDT 2010

On 4/22/2010 11:59 PM, Jeff Blaine wrote:
> On 4/22/2010 1:57 PM, Greg Hudson wrote:
>> On Thu, 2010-04-22 at 11:59 -0400, Jeff Blaine wrote:
>>> Any advice? This preauth plugin must be called and
>>> must succeed.
>> I see. What you want is for your plugin to be invoked at preauth
>> verification time even though the client doesn't have any understanding
>> of your mechanism (because it happens out of band). Unfortunately, I
>> don't think that kind of use is currently envisioned by the preauth
>> framework.
> Okay, so the KDC-only preauth method is a wash for what we wanted.
> Fair enough.
>  From what I gather of your previous message, it is not possible
> to indicate a 'required' preauth plugin. Is that also correct?
>> The modules which handle the preauthentication types
>> in the packet have their verify_padata methods invoked, until
>  > one succeeds which is deemed "sufficient."

Maybe I can intercept your reply with an idea:

I've found the logic in kdc/kdc_preauth.c where the ordering
of pa stuff is done (around line 896).

How about a PA_REQUIRED flag and its appropriate handler code?

Would that be a welcomed contribution?

More information about the krbdev mailing list