Creating a new pre-authentication plugin

Luke Howard lukeh at
Wed Aug 1 22:25:11 EDT 2012

> I believe statelessness here requires that each hop be able to be
> performed against different KDCs.  This is important to me and to
> others.  I recommend you pursue the exported partially established
> security context token approach to retain statelessness, which I think
> is eminently feasible (and would benefit us all in other ways).

Right, and if the immediate target is GSS EAP, then the Moonshot implementation already supports partial context export on the acceptor side. It might be nice if there was a way of negotiating whether this was supported within the protocol, so that for other GSS mechanisms the client could be bound to a single KDC (but I suppose this is difficult to do with stacked mechanisms).

-- Luke

More information about the krbdev mailing list