Adding support for optimistic preauth to kinit

Ken Hornstein kenh at
Sat Apr 3 20:09:06 EDT 2021

So during some recent testing, I realized that there is one bit of
functionality in kinit that is missing; the ability to set the optimistic
preauth list.  By this, I mean a list of preauthentication types to try
first instead of falling back to a list based on the list from the
"preauth required" error code.

Why would you want to do this?  Well, here's what we use that for:

- We have users that have a hardware preauth configured, but not required.
  This allows them to use their password to access a subset of site
  resources but optionally use their hardware token to access resources that
  require the extra security of a hardware token.

- We have users that have multiple tokens configured (typically this is
  a smartcard that is used with PKINIT and a one-time token that uses SAM2).
  There are a number of times where you might want to use one or the
  other (if one is non-functional, or you can't use a smartcard driver).

>From an architectural standpoint, the hard work is already done; the
library supports this via an already-exposed API in the get_init_creds
interface (krb5_get_init_creds_opt_set_preauth_list()).  It's just
that kinit has no way to set this list.

What I was thinking was a new flag lets you add preauth types to the
optimistic preauth list.  I'm not sure what letter makes sense as a lot
are already taken.  Maybe -U?  I have no preference here.  What this
would look like would be:

% kinit -U pkinit -U sam2 -U 191 user at REALM

The idea here being you could pick from a small list of symbolic
names of preauth types, and if that wasn't sufficient you could add
a number to capture future types.  You could add multiple options to
have multiple entries in the preauth list.  I think this is relatively
straightforward to implement; what do people think of this idea?  I'd be
glad to submit the code for it.


More information about the krbdev mailing list