Dynamic deployment of new preauth plugin for client and kdc

drankye kai.zheng at intel.com
Tue May 27 09:26:38 EDT 2014

I'm developing a new preauth mechanism like otp based on FAST tunnel, and
wish it's possible to deploy my new plugin module by just dropping the so
file into place like /usr/local/lib/krb5/plugins/preauth/ just as existing
plugin modules do, like otp.so and pkinit.so. However, I found it's not
enough, and also have to modify the following places to register a new entry
for the plugin:

In preauth2.c:k5_init_preauth_context(krb5_context context),
    k5_plugin_register_dyn(context, PLUGIN_INTERFACE_CLPREAUTH, "pkinit",
    k5_plugin_register(context, PLUGIN_INTERFACE_CLPREAUTH, "otp",

In kdc_preauth.c:get_plugin_vtables(),
    k5_plugin_register_dyn(context, PLUGIN_INTERFACE_KDCPREAUTH, "pkinit",
    k5_plugin_register_dyn(context, PLUGIN_INTERFACE_KDCPREAUTH, "otp",

Should this be true or anything I'm getting wrong? Should I have to modify
the main programs (kinit & kdc) other than coming up my new preauth plugin?
If so I would contribute and provide a patch to make it true. By
configuration, we would allow client and kdc both scan the preauth plugin
folder to get and load all pre-configured plugin modules. Thus when new
plugin is out, only configuration is needed to update to deploy it.

Thanks for your correction and suggestion.


View this message in context: http://kerberos.996246.n3.nabble.com/Dynamic-deployment-of-new-preauth-plugin-for-client-and-kdc-tp40439.html
Sent from the Kerberos - Dev mailing list archive at Nabble.com.

More information about the krbdev mailing list