Creating a new pre-authentication plugin
lukeh at padl.com
Thu Aug 2 03:56:03 EDT 2012
> I we had the table of valid handlers, we could add a expiration time.
> From time to time, mechglue can lookup for expired contexts and delete
> them. Though I think this may be highly inefficient.
I think it would be less intrusive to make this the responsibility of the preauthentication plugin rather than changing the mechglue.
> The problem with this approach is that exporting partially established
> contexts is something not allowed by current GSS-API specification.
The GSS-API specification can be evolved; plenty of things that modern mechanisms use, such as the PRF and naming extensions, were not allowed by the original GSS-API specification.
More information about the krbdev