Proper way to do logging (KDC) from preauth plugin?

Greg Hudson ghudson at MIT.EDU
Mon May 10 12:00:41 EDT 2010

On Mon, 2010-05-10 at 05:16 -0400, Sam Hartman wrote:
> Actually, does PA_REQUIRED actually require that the client include that
> particular pa type or simply require that if present it must succeed?

The latter, which seems to make the flag pretty meaningless.

> If the semantics are:
> 1) advertize in list
> 2) If client includes pa type then it must succeed
> 3) If PREAUTH_REQUIRED set then the client must include some PA_REQUIRED
> that seems fine.

I would think that proper semantics would be that clients must include
all PA_REQUIRED types and they must all succeed.  (The proper
interactions between PA_REQUIRED and PA_SUFFICIENT are unclear; in PAM
they depend on configuration order, while preauth modules aren't
meaningfully ordered.)

Regardless, it seems wrong for either flag to be hardcoded in the module
source code.  In PAM, "required" and "sufficient" are determined by
configuration, not by the PAM modules themselves.

More information about the krbdev mailing list