Implementing a multi-round trip preauthentication method

Sam Hartman hartmans at MIT.EDU
Wed Oct 6 10:06:45 EDT 2010

>>>>> "Alejandro" == Alejandro Perez Mendez <alex at> writes:

    Alejandro> Hello Sam, thanks for your quick a complete
    Alejandro> response. Actually, I don't want to use FAST.

    Alejandro> As you mentioned, I saw that there exists a preauth
    Alejandro> plugin interface with some preauth_plugins, so I could
    Alejandro> take one of them and use it as a template to build
    Alejandro> mine. I also saw that within this interface there is a
    Alejandro> try_again() method defined that is called when an error
    Alejandro> is received from the KDC. I could use that function to
    Alejandro> send the next request when
    Alejandro> KDC_ERR_MORE_PREAUTH_DATA_NEEDED is received from the
    Alejandro> KDC. Am I right?

If you do this, your plugin will probably break when we add real support for
 multi-round-trip  mechanisms.

However, besides that,  I think you'll probably be OK on the client.

That won't really help with the KDC.

What preauth interface are you implementing? I've already talked to a
group from your university about preauth for EAP.

More information about the krbdev mailing list