What's missing in fast-otp?
Greg Hudson
ghudson at MIT.EDU
Mon Jul 18 10:11:33 EDT 2011
On Mon, 2011-07-18 at 08:11 -0400, Linus Nordberg wrote:
> - Dependencies -- we depend on libykclient and libcurl
>
> Is this acceptable? With a configure option `--enable-plugin-otp'?
configure.in can just check for the dependency libraries and enable the
OTP plugin if they're found. That's what we do for the securID plugin.
> - Code quality -- a review would be valuable
I will try to find time for this soon.
If you haven't already, please take a look at:
http://k5wiki.kerberos.org/wiki/Coding_style
> - Verification of KDC nonce -- trying to find out if the PA-FX-COOKIE
> can help here.
My current belief is that we do not need to do any verification of the
nonce and we do not need a cookie. I am pursuing this issue with Gareth
on krb-wg.
> - Standard compliance and completeness -- we're far from implementing
> all of draft-ietf-krb-wg-otp-preauth
What is not implemented? What kinds of tokens will be precluded by the
lack of support?
> - Test suite -- what's the preferred way of adding tests for this?
I'd suggest using src/tests/t_anonpkinit.py as a basis. The framework
used for Python tests is in src/util/k5test.py and has fairly complete
documentation.
Other possible issues:
* Is there any way to set up this plugin for use without back-end
integration with IPA? If not, this may make it difficult to create test
cases.
* Documentation, probably in doc/rst_source/krb_admins. Obviously this
will be difficult to document usefully if IPA is required for use.
More information about the krbdev
mailing list