Creating a new pre-authentication plugin

Luke Howard lukeh at
Thu Aug 2 03:56:03 EDT 2012

> I we had the table of valid handlers, we could add a expiration time. 
> From time to time, mechglue can lookup for expired contexts and delete 
> them. Though I think this may be highly inefficient.

I think it would be less intrusive to make this the responsibility of the preauthentication plugin rather than changing the mechglue.

> The problem with this approach is that exporting partially established 
> contexts is something not allowed by current GSS-API specification.

The GSS-API specification can be evolved; plenty of things that modern mechanisms use, such as the PRF and naming extensions, were not allowed by the original GSS-API specification.

-- Luke

More information about the krbdev mailing list