[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: pam_krb5 with PKINIT from Heimdal and MIT

On Thu, Oct 12, 2006 at 04:13:06PM -0500, Nicolas Williams wrote:
On Thu, Oct 12, 2006 at 04:12:42PM -0400, Nalin Dahyabhai wrote:
The libkrb5 side of things goes through the list of preauth types
suggested by the KDC, and the first preauth type for which it's able to
obtain data is deemed good enough to fire off a request to the KDC.

In what order are the pre-auths attempted?

Traditionally, it was the order in which they were listed in the e-data
accompanying the preauth-required error from the KDC.

If we agree that PADATA should be considered to be unordered then a
client-side pre-auth preference/precedence order seems necessary.

Agreed.  The recent changes added a libdefaults configuration option
("preferred_preauth_types") which bubbles specified types to the front
of the KDC-supplied list, with the default value for that option to make
libkrb5 prefer the pkinit preauth types ("17, 16, 15, 14").

The result is that if a KDC advertises that it implements pkinit, and a
module is loaded which can supply pkinit preauth data, it gets used.