[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: pam_krb5 with PKINIT from Heimdal and MIT

On Thu, Oct 12, 2006 at 04:12:42PM -0400, Nalin Dahyabhai wrote:
The libkrb5 side of things goes through the list of preauth types
suggested by the KDC, and the first preauth type for which it's able to
obtain data is deemed good enough to fire off a request to the KDC.

In what order are the pre-auths attempted?

If we agree that PADATA should be considered to be unordered then a
client-side pre-auth preference/precedence order seems necessary.