New GSS-preauth plugin available for testing
Alejandro Perez Mendez
alex at um.es
Wed Aug 29 09:27:46 EDT 2012
Hello,
as you may know, I've been implementing a new pre-authentication plugin
which makes use of GSS-API to authenticate a kerberos client. Besides,
this mechanism allows (depending on the GSS mechanism being used)
authenticating federated users that are not in the KDC database, without
making use of cross-realm. This is true at least when the GSS-EAP
mechanism is selected, though other GSS mechanisms may allow it also.
The Project description can be found here:
http://k5wiki.kerberos.org/wiki/Projects/GSS-API_preauth.
The code can be downloaded and tested here:
https://github.com/alejandro-perez/krb5.git (branch name = gsspreauth).
Besides the plugin code, I have performed few slight modifications to
the KRB lib to support multi-roundtrip pre-authentication mechanisms
(not supported before). I've also modified kinit program to allow the
client to specify the PA_DATA to be sent in the first AS_REQ (before
receiving the PA-HINT). More details are available on the wiki page.
My intention is to see this included into the main MIT KRB branch in the
future, so just tell me what I should do next to move it forward.
NOTE: For my tests I have only been using "mech_eap" from Project
Moonshot (http://www.project-moonshot.org/).
Best regards,
Alejandro
More information about the krbdev
mailing list