Implementing a multi-round trip preauthentication method
Sam Hartman
hartmans at MIT.EDU
Wed Oct 6 08:42:25 EDT 2010
First read the IETF draft-ietf-krb-wg-preauth-framework.
If you are doing a multi-round-trip mechanism you almost certainly want
to make it be a FAST factor.
On the client, it's relatively easy. There is an opaque state that is
passed from mechanism to mechanism.
All you'd need to do is implement support for
KDC_ERR_MORE_PREAUTH_DATA_NEEDED in .
On the KDC side it's more complicated. Currently, the constant cookie
MIT is sent in order to keep a conversation alive. You'll need to
provide a facility so that a preauth method can give information to the
KDC to be serialized into the cookie.
You'll also need to add handling for KDC_ERR_MORE_PREAUTH_DATA_NEEDED to
the KDC.
so, you'll potentially need to touch kdc/kdc_preauth.c, kdc/fast_util.c,
lib/krb5/krb/get_in_tkt.c, lib/krb5/krb/kdc_preauth.c.
Especially on the KDC side you'll need to expand the preauth plugin
interface.
There are some older mechanisms that use KDC_ERR_PREAUTH_REQUIRED for
multi-round-trip methods. I'd recommend against that approach for
anything new even though it seems like it may be easier.
--Sam
More information about the krbdev
mailing list