Adding support for optimistic preauth to kinit

Ken Hornstein kenh at
Mon Apr 26 11:35:53 EDT 2021

>As part of designing FAST and the preauth framework, we kind of accepted
>that we were effectively killing off optimistic preauth.  In the
>generalized case you might need either the hint data or some other
>information from the KDC to get started, and in the general case, once
>you've started you cannot really restart (without completily restarting
>over and possibly implementing lockout counters).

I hope I made it clear that optimistic preauth and/or reducing round trips
was not REALLY my goal; the goal was to permit the selection of a particular
preauth type the setting the optimistic preauth list was really the only
available API to do that.

I also fully acknowledge that the existing preauth framework is very
complicated and it's hard to make decisions which work universally for
everyone.  It sounds like everyone agrees an API to set the preauth
list would be a good solution.


More information about the krbdev mailing list