Plug-in interfaces & internal APIs

Ken Hornstein kenh at
Sat May 16 02:14:24 EDT 2015

So I've been spending recent time converting some of our horrible, ancient
hacks into plugins for the new version of MIT Kerberos.  That's actually
going pretty well, but it led me to see some things I wish existed in
the plugin API.

I know that doing your own PKINIT plugin requires a lot of internal
interfaces and changing that is hard.  But most of the plugins I've written
still require internal interfaces, and that's a bit frustrating.

The biggest issue is configuration; most of the plugins require some KDC-wide
configuration (e.g.: Yubikey requires a few parameters, like the URL for
the validation server, a client identifier, an API key, etc etc).  Right
now you have to call the internal profile APIs to get stuff out of krb5.conf
or kdc.conf.  This makes me wonder exactly what people's thoughts were in
terms of plugin configuration (it may be that this was never considered).

The second thing I've run into is storing per-principal information.
I know about the set_strings/get_strings interface; we use that, and
it's great!  But we have some cases where the plugin needs to modify
some data associated with the principal, and there is no set_strings
interface.  I know there's a callback to retrieve the principal record,
but I was wondering if that's the preferred method for storing stuff,
or if there should be an additional callback to store string data
(or TL_DATA) on a per-principal bases.

Thoughts?  These are just things that have popped out at me in the past
few weeks.


More information about the krbdev mailing list