[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: pam_krb5 with PKINIT from Heimdal and MIT

To: "Douglas E. Engert" <deengert@anl.gov>, =?utf-8?B?QmrDtnJu?= Torkelsson <torkel@hpc2n.umu.se>, Russ Allbery <rra@stanford.edu>, heimdal-discuss@sics.se, Kevin Coffman <kwc@citi.umich.edu>, Matthijs Mohlmann <matthijs@cacholong.nl>, Jim Rees <rees@citi.umich.edu>, "'krbdev@mit.edu'" <krbdev@mit.edu>
Subject: Re: pam_krb5 with PKINIT from Heimdal and MIT
From: Nalin Dahyabhai <nalin@redhat.com>
Date: Thu, 12 Oct 2006 18:20:34 -0400
In-Reply-To: <20061012211305.GL12284@binky.Central.Sun.COM>
Organization: Red Hat, Inc.
References: <20061003133404.223b2985.mba2000@ioplex.com> <4523D4FB.6010000@anl.gov> <1160033063.22711.6.camel@monsun.hpc2n.umu.se> <452551E7.7010009@anl.gov> <873ba2siou.fsf@windlord.stanford.edu> <45255B9A.7060106@anl.gov> <877izefgjx.fsf@windlord.stanford.edu> <452687DF.20004@anl.gov> <20061012201242.GC7647@redhat.com> <20061012211305.GL12284@binky.Central.Sun.COM>
Sender: owner-heimdal-discuss@sics.se
User-Agent: Mutt/1.5.12-2006-07-14

On Thu, Oct 12, 2006 at 04:13:06PM -0500, Nicolas Williams wrote:
On Thu, Oct 12, 2006 at 04:12:42PM -0400, Nalin Dahyabhai wrote:
The libkrb5 side of things goes through the list of preauth types
suggested by the KDC, and the first preauth type for which it's able to
obtain data is deemed good enough to fire off a request to the KDC.

In what order are the pre-auths attempted?

Traditionally, it was the order in which they were listed in the e-data
accompanying the preauth-required error from the KDC.

If we agree that PADATA should be considered to be unordered then a
client-side pre-auth preference/precedence order seems necessary.

Agreed.  The recent changes added a libdefaults configuration option
("preferred_preauth_types") which bubbles specified types to the front
of the KDC-supplied list, with the default value for that option to make
libkrb5 prefer the pkinit preauth types ("17, 16, 15, 14").

The result is that if a KDC advertises that it implements pkinit, and a
module is loaded which can supply pkinit preauth data, it gets used.

Nalin

Follow-Ups:
- Re: pam_krb5 with PKINIT from Heimdal and MIT
  - From: Sam Hartman <hartmans@mit.edu>

References:
- Re: The state of the heimdal project
  - From: Michael B Allen <mba2000@ioplex.com>
- Re: The state of the heimdal project
  - From: "Douglas E. Engert" <deengert@anl.gov>
- Re: The state of the heimdal project
  - From: Björn Torkelsson <torkel@hpc2n.umu.se>
- Re: The state of the heimdal project
  - From: "Douglas E. Engert" <deengert@anl.gov>
- Re: The state of the heimdal project
  - From: Russ Allbery <rra@stanford.edu>
- pam_krb5 with PKINIT from Heimdal and MIT
  - From: "Douglas E. Engert" <deengert@anl.gov>
- Re: pam_krb5 with PKINIT from Heimdal and MIT
  - From: Nalin Dahyabhai <nalin@redhat.com>
- Re: pam_krb5 with PKINIT from Heimdal and MIT
  - From: Nicolas Williams <Nicolas.Williams@sun.com>

Prev by Date: Re: pam_krb5 with PKINIT from Heimdal and MIT
Next by Date: Re: pam_krb5 with PKINIT from Heimdal and MIT
Prev by thread: Re: pam_krb5 with PKINIT from Heimdal and MIT
Next by thread: Re: pam_krb5 with PKINIT from Heimdal and MIT
Index(es):
- Date
- Thread