Adding support for optimistic preauth to kinit

Ken Hornstein kenh at cmf.nrl.navy.mil
Sun Apr 4 23:43:23 EDT 2021 

>I think the problem is both harder and easier than this.
>
>Each preauth mechanism works differently, and some lend themselves to
>optimistic preauth better than others:
>[...]

That's all fair, and I admit that this is kind of the intersection of
what's available in terms of the API and the complexity of the preauth
code.

Really, the REAL goal is to force a particular preauth mechanism.  We have
patches to kinit that make it so when kinit is called as "pkinit", it
will try PKINIT by default.  The way this is done is by setting the
optimistic preauth list.  But that has the sub-optimal behavior of making
it that if PKINIT doesn't work, it falls back to a password prompt
(well, that happens if PKINIT fails in the context of loading the plugin
or some other initial setup fails).

>A path of lower resistance is to add an option to force a particular
>preauth mech (single choice, hard-failing if it isn't available or
>doesn't work).  clpreauth modules already declare names like "pkinit"
>and "sam2" which could be matched against.  This approach has the
>notable failing of requiring users to know something about preauth
>mechs--in particular, if the user wants to authenticate with just their
>password as registered with kpasswd, they need to know which of three
>different preauth mechs to use (encrypted_timestamp,
>encrypted_challenge, and spake) based on specific knowledge of their
>realm and client capabilities.

Honestly, I'd be fine with this (although it does occur to me that you
might want to specify more than one preauth to use).

I am thinking there are two classes of users that would make use of this.

- Developers/admins/other "power users"; they'd already know the right
  options or would have the ability to figure it out.

- Regular users who would simply be told what option they needed to add to
  kinit to access particular resources.  For these people, they wouldn't
  really know or care what the option means; it could be "-Y bloopitybloop"
  and they'd just add that to the kinit command line.

--Ken

More information about the krbdev mailing list