What's missing in fast-otp?

Greg Hudson ghudson at MIT.EDU
Mon Jul 18 10:11:33 EDT 2011

On Mon, 2011-07-18 at 08:11 -0400, Linus Nordberg wrote:
> - Dependencies -- we depend on libykclient and libcurl
>   Is this acceptable?  With a configure option `--enable-plugin-otp'?

configure.in can just check for the dependency libraries and enable the
OTP plugin if they're found.  That's what we do for the securID plugin.

> - Code quality -- a review would be valuable

I will try to find time for this soon.

If you haven't already, please take a look at:

> - Verification of KDC nonce -- trying to find out if the PA-FX-COOKIE
>   can help here.

My current belief is that we do not need to do any verification of the
nonce and we do not need a cookie.  I am pursuing this issue with Gareth
on krb-wg.

> - Standard compliance and completeness -- we're far from implementing
>   all of draft-ietf-krb-wg-otp-preauth

What is not implemented?  What kinds of tokens will be precluded by the
lack of support?

> - Test suite -- what's the preferred way of adding tests for this?

I'd suggest using src/tests/t_anonpkinit.py as a basis.  The framework
used for Python tests is in src/util/k5test.py and has fairly complete

Other possible issues:

* Is there any way to set up this plugin for use without back-end
integration with IPA?  If not, this may make it difficult to create test

* Documentation, probably in doc/rst_source/krb_admins.  Obviously this
will be difficult to document usefully if IPA is required for use.

More information about the krbdev mailing list