Implementing a KDB plugin

Greg Hudson ghudson at
Thu May 5 18:03:28 EDT 2016

On 05/05/2016 05:25 PM, harsh savla wrote:
> I was thinking along the lines that the security blob (encrypted using
> the user's password as a key) received by the krb5kdc service on user
> login will be passed to the cloud service via the kdb plugin.

It may be possible to gateway from the Kerberos protocol to a web
service and back to the Kerberos protocol again, but the MIT krb5 KDC
cannot be transformed into such a gateway element by a KDB module.  KDB
modules can control how principal metadata and key data is retrieved,
and can participate in some policy decisions, but they cannot make
radical alterations to the basic protocol flow.

We do implement an HTTP proxy protocol called MS-KKDCP in our clients as
of release 1.13, but it's a bit different than what you describe.

More information about the krbdev mailing list