Proper way to do logging (KDC) from preauth plugin?
jblaine at kickflop.net
Fri May 7 11:54:21 EDT 2010
On 4/28/2010 11:00 AM, Sam Hartman wrote:
> I think that configuration of which pa types should be required for a
> given user don't belong in a PA_REQUIRED flag.
Sam, I'm revisiting this flag this morning.
I'm not concerned right now with a per-user decision.
> /* Causes the KDC to include this mechanism in a list of
> * supported preauth types if the user's DB entry flags
> * the user as requiring preauthentication, and to fail
> * preauthentication if we can't verify the client data.
> * The flipside of PA_SUFFICIENT (server-only). */
> #define PA_REQUIRED 0x00000008
As this is described, this sounds like exactly what I want.
Deem a certain preauth plugin as required for anyone with
preauth_required on their principal.
More information about the krbdev