Implementing a multi-round trip preauthentication method

Sam Hartman hartmans at MIT.EDU
Wed Oct 6 08:42:25 EDT 2010

First read the IETF draft-ietf-krb-wg-preauth-framework.

If you are doing a multi-round-trip mechanism you almost certainly want
to make it be a FAST factor.

On the client, it's relatively easy. There is an opaque state that is
passed from mechanism to mechanism.
All you'd need to do is implement support for

On the KDC side it's more complicated.  Currently, the constant cookie
MIT is sent in order to keep a conversation alive.  You'll need to
provide a facility so that a preauth method can give information to the
KDC to be serialized into the cookie.
You'll also need to add handling for KDC_ERR_MORE_PREAUTH_DATA_NEEDED to
the KDC.

so, you'll potentially need to touch kdc/kdc_preauth.c, kdc/fast_util.c,
lib/krb5/krb/get_in_tkt.c, lib/krb5/krb/kdc_preauth.c.

Especially on the KDC side you'll need to expand the preauth plugin

There are some older mechanisms that use KDC_ERR_PREAUTH_REQUIRED for
multi-round-trip methods. I'd recommend against that approach for
anything new even though it seems like it may be easier.


More information about the krbdev mailing list