[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: pam_krb5 with PKINIT from Heimdal and MIT

To: Nalin Dahyabhai <nalin@redhat.com>
Subject: Re: pam_krb5 with PKINIT from Heimdal and MIT
From: Sam Hartman <hartmans@mit.edu>
Date: Fri, 13 Oct 2006 16:02:01 -0400
Cc: "Douglas E. Engert" <deengert@anl.gov>, Björn Torkelsson <torkel@hpc2n.umu.se>, Russ Allbery <rra@stanford.edu>, heimdal-discuss@sics.se, Kevin Coffman <kwc@citi.umich.edu>, Matthijs Mohlmann <matthijs@cacholong.nl>, Jim Rees <rees@citi.umich.edu>, "'krbdev@mit.edu'" <krbdev@mit.edu>
In-Reply-To: <20061012222034.GA25148@redhat.com> (Nalin Dahyabhai's message of"Thu, 12 Oct 2006 18:20:34 -0400")
References: <20061003133404.223b2985.mba2000@ioplex.com><4523D4FB.6010000@anl.gov><1160033063.22711.6.camel@monsun.hpc2n.umu.se><452551E7.7010009@anl.gov> <873ba2siou.fsf@windlord.stanford.edu><45255B9A.7060106@anl.gov> <877izefgjx.fsf@windlord.stanford.edu><452687DF.20004@anl.gov> <20061012201242.GC7647@redhat.com><20061012211305.GL12284@binky.Central.Sun.COM><20061012222034.GA25148@redhat.com>
Sender: owner-heimdal-discuss@sics.se
User-Agent: Gnus/5.110006 (No Gnus v0.6) Emacs/21.4 (gnu/linux)

>>>>> "Nalin" == Nalin Dahyabhai <nalin@redhat.com> writes:

    Nalin> On Thu, Oct 12, 2006 at 04:13:06PM -0500, Nicolas Williams wrote:
    >> On Thu, Oct 12, 2006 at 04:12:42PM -0400, Nalin Dahyabhai wrote:
    >> > The libkrb5 side of things goes through the list of preauth types
    >> > suggested by the KDC, and the first preauth type for which it's able to
    >> > obtain data is deemed good enough to fire off a request to the KDC.
    >> 
    >> In what order are the pre-auths attempted?

    Nalin> Traditionally, it was the order in which they were listed in the e-data
    Nalin> accompanying the preauth-required error from the KDC.

    >> If we agree that PADATA should be considered to be unordered then a
    >> client-side pre-auth preference/precedence order seems necessary.

FTR, I am entirely unconvinced that padata should be unordered.  I
think this is a fairly bad idea.
I think it in acceptable for a client to reorder padata with no associated data in a preauth_required error.

I'm open to arguments about why unordered preauth is good, but I'm
concerned that it will limit flexibility for extending Kerberos.

I'm very concerned about a case where one preauth module causes other
preauth modules to be ignored.  I think the only case is that you
don't want two replace key modules used in the same request.

References:
- Re: The state of the heimdal project
  - From: Michael B Allen <mba2000@ioplex.com>
- Re: The state of the heimdal project
  - From: "Douglas E. Engert" <deengert@anl.gov>
- Re: The state of the heimdal project
  - From: Björn Torkelsson <torkel@hpc2n.umu.se>
- Re: The state of the heimdal project
  - From: "Douglas E. Engert" <deengert@anl.gov>
- Re: The state of the heimdal project
  - From: Russ Allbery <rra@stanford.edu>
- pam_krb5 with PKINIT from Heimdal and MIT
  - From: "Douglas E. Engert" <deengert@anl.gov>
- Re: pam_krb5 with PKINIT from Heimdal and MIT
  - From: Nalin Dahyabhai <nalin@redhat.com>
- Re: pam_krb5 with PKINIT from Heimdal and MIT
  - From: Nicolas Williams <Nicolas.Williams@sun.com>
- Re: pam_krb5 with PKINIT from Heimdal and MIT
  - From: Nalin Dahyabhai <nalin@redhat.com>

Prev by Date: Re: pam_krb5 with PKINIT from Heimdal and MIT
Prev by thread: Re: pam_krb5 with PKINIT from Heimdal and MIT
Next by thread: Re: pam_krb5 with PKINIT from Heimdal and MIT
Index(es):
- Date
- Thread