Way to indicate pa type in kinit
Alejandro Perez Mendez
alex at um.es
Fri Aug 24 05:58:32 EDT 2012
Hello,
under certain circumstances, it can be interesting to have a way to
specify a PA-TYPE to be sent when using kinit. In this way, the user
would be able to directly start a pre-authentication mechanism. This is
specially important for my GSS-preauthentication, since I would like to
be able to use GSS default credentials.
Let me give you an example:
A user wants to make use of the GSS preauthentication using his default
GSS credentials, so it start kinit using something similar to this:
kinit -X gss_default
The problem is that this results into an AS_REQ sent with the
cname=whoami, which may be not available in the KDC's database. So it fails.
I would rather prefer having an option to specify the pa_type to be
included in the AS_REQ. In this way, the preauthentication plugin is
called, and it is able to update the cname in the AS_REQ message
according to the default credentials returned by gss_acquire_credentials.
Indeed, I already patched kinit in local copy of the repository. What I
did is to add an option (-u) which specifies the numeric value of the
pa_type to be included by using the
krb5_get_init_creds_opt_set_preauth_list call. 200 is the temporary
number I assigned to the PA_GSS.
So the client can execute:
kinit -u 200 -X gss_default
which results in the cname being updated to the actual acquired GSS
credentials.
This is also important when -X gss_federated is used, resulting in
cname=WELLKNOWN/FEDERATED.
Regards,
Alejandro
More information about the krbdev
mailing list