New GSS-preauth plugin available for testing

Alejandro Perez Mendez alex at
Wed Aug 29 09:27:46 EDT 2012


as you may know, I've been implementing a new pre-authentication plugin 
which makes use of GSS-API to authenticate a kerberos client. Besides, 
this mechanism allows (depending on the GSS mechanism being used) 
authenticating federated users that are not in the KDC database, without 
making use of cross-realm. This is true at least when the GSS-EAP 
mechanism is selected, though other GSS mechanisms may allow it also.

The Project description can be found here:

The code can be downloaded and tested here: (branch name = gsspreauth).

Besides the plugin code, I have performed few slight modifications to 
the KRB lib to support multi-roundtrip pre-authentication mechanisms 
(not supported before). I've also modified kinit program to allow the 
client to specify the PA_DATA to be sent in the first AS_REQ (before 
receiving the PA-HINT). More details are available on the wiki page.

My intention is to see this included into the main MIT KRB branch in the 
future, so just tell me what I should do next to move it forward.

NOTE: For my tests I have only been using "mech_eap" from Project 
Moonshot (

Best regards,

More information about the krbdev mailing list