Proper way to do logging (KDC) from preauth plugin?

Jeff Blaine jblaine at
Fri May 7 11:54:21 EDT 2010

On 4/28/2010 11:00 AM, Sam Hartman wrote:
> I think that configuration of which pa types should be required for a
> given user don't belong in a PA_REQUIRED flag.

Sam, I'm revisiting this flag this morning.

I'm not concerned right now with a per-user decision.

> /* Causes the KDC to include this mechanism in a list of
>  * supported preauth types if the user's DB entry flags
>  * the user as requiring preauthentication, and to fail
>  * preauthentication if we can't verify the client data.
>  * The flipside of PA_SUFFICIENT (server-only). */
> #define PA_REQUIRED     0x00000008

As this is described, this sounds like exactly what I want.

Deem a certain preauth plugin as required for anyone with
preauth_required on their principal.


More information about the krbdev mailing list