Authdata, preauth plugin headers

Greg Hudson ghudson at MIT.EDU
Fri Jun 17 09:58:10 EDT 2011


On Thu, 2011-06-09 at 12:25 -0400, Greg Hudson wrote:
> 1. Use the new plugin framework.

I've committed this to the trunk.  Anyone working on preauth plugins for
1.10 should feel free to contact me (via IRC or email) if they need help
adjusting.

> 2. Provide a way to get and set the cookie.

For current use cases, the only place you'd want to set a cookie is in
get_edata.  So adding a cookie parameter there should be sufficient for
now.

If we ever want to support multi-hop mechanisms, we'd also need the
ability to set a cookie in return_padata.  I don't know if it's worth
adding the parameter there now; are there other things we'd need to
change in the kdcpreauth interface for multi-hop?

> 3. Maybe make it possible for a preauth plugin to compute a reply key
> after the service ticket is finalized

I'm likely to punt on this unless there's interest.  It can be handled
in the future by adding a new optional method to get the reply key.

> 5. Maybe change to how error data is generated.

I'm likely to punt on this unless someone has a clever idea for how to
handle the non-FAST PKINIT requirement to format e-data as typed data.





More information about the krbdev mailing list