Creating a new pre-authentication plugin

Alejandro Perez Mendez alex at
Thu Aug 2 04:03:08 EDT 2012

On 02/08/12 03:25, Luke Howard wrote:
>> I believe statelessness here requires that each hop be able to be
>> performed against different KDCs.  This is important to me and to
>> others.  I recommend you pursue the exported partially established
>> security context token approach to retain statelessness, which I think
>> is eminently feasible (and would benefit us all in other ways).
> Right, and if the immediate target is GSS EAP, then the Moonshot implementation already supports partial context export on the acceptor side. It might be nice if there was a way of negotiating whether this was supported within the protocol, so that for other GSS mechanisms the client could be bound to a single KDC (but I suppose this is difficult to do with stacked mechanisms).

As a matter of fact, it is :). I'm interested then is known how you 
access to this functionality. Can I use it by directly calling 
mechglue's gss_export_sec_context()?

We could make the KDC to try to obtain a partially exported context. If 
successful, that would be the COOKIE. If failed, then it can send the 
*encrypted* {gss_ctx_id_t value, PID of the process}. That way, it would 
be easy to reject any pre-authentication directed to the wrong KDC. It 
wouldn't assure a success, but avoids most of the memory problems. Even 
the supervisor worker could look at the PID value and direct it to the 
right queue.

> Luke

More information about the krbdev mailing list