Way to indicate pa type in kinit

Alejandro Perez Mendez alex at um.es
Fri Aug 24 05:58:32 EDT 2012


under certain circumstances, it can be interesting to have a way to 
specify a PA-TYPE to be sent when using kinit. In this way, the user 
would be able to directly start a pre-authentication mechanism. This is 
specially important for my GSS-preauthentication, since I would like to 
be able to use GSS default credentials.

Let me give you an example:

A user wants to make use of the GSS preauthentication using his default 
GSS credentials, so it start kinit using something similar to this:

    kinit -X gss_default

The problem is that this results into an AS_REQ sent with the 
cname=whoami, which may be not available in the KDC's database. So it fails.

I would rather prefer having an option to specify the pa_type to be 
included in the AS_REQ. In this way, the preauthentication plugin is 
called, and it is able to update the cname in the AS_REQ message 
according to the default credentials returned by gss_acquire_credentials.

Indeed, I already patched kinit in local copy of the repository. What I 
did is to add an option (-u) which specifies the numeric value of the 
pa_type to be included by using the 
krb5_get_init_creds_opt_set_preauth_list call. 200 is the temporary 
number I assigned to the PA_GSS.

So the client can execute:

    kinit -u 200 -X gss_default

which results in the cname being updated to the actual acquired GSS 
This is also important when -X gss_federated is used, resulting in 


More information about the krbdev mailing list