Implementing a multi-round trip preauthentication method

Alejandro Perez Mendez alex at
Wed Oct 6 09:25:18 EDT 2010

Hello Sam,

thanks for your quick a complete response. Actually, I don't want to use

As you mentioned, I saw that there exists a preauth plugin interface
with some preauth_plugins, so I could take one of them and use it as a
template to build mine. I also saw that within this interface there is a
try_again() method defined that is called when an error is received from
the KDC. I could use that function to send the next request when
KDC_ERR_MORE_PREAUTH_DATA_NEEDED is received from the KDC. Am I right?

Best regards,

> First read the IETF draft-ietf-krb-wg-preauth-framework.
> If you are doing a multi-round-trip mechanism you almost certainly want
> to make it be a FAST factor.
> On the client, it's relatively easy. There is an opaque state that is
> passed from mechanism to mechanism.
> All you'd need to do is implement support for
> On the KDC side it's more complicated.  Currently, the constant cookie
> MIT is sent in order to keep a conversation alive.  You'll need to
> provide a facility so that a preauth method can give information to the
> KDC to be serialized into the cookie.
> You'll also need to add handling for KDC_ERR_MORE_PREAUTH_DATA_NEEDED to
> the KDC.
> so, you'll potentially need to touch kdc/kdc_preauth.c, kdc/fast_util.c,
> lib/krb5/krb/get_in_tkt.c, lib/krb5/krb/kdc_preauth.c.
> Especially on the KDC side you'll need to expand the preauth plugin
> interface.
> There are some older mechanisms that use KDC_ERR_PREAUTH_REQUIRED for
> multi-round-trip methods. I'd recommend against that approach for
> anything new even though it seems like it may be easier.
> --Sam

More information about the krbdev mailing list