[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: preauth_always option?

To: Michael B Allen <miallen@ioplex.com>
Subject: Re: preauth_always option?
From: Ken Raeburn <raeburn@MIT.EDU>
Date: Thu, 29 May 2008 18:35:43 -0400
Cc: heimdal-discuss@sics.se, "Douglas E. Engert" <deengert@anl.gov>, Love Hörnquist Åstrand <lha@kth.se>
In-Reply-To: <20080529174456.c295dad0.miallen@ioplex.com>
List-Archive: <http://list.sics.se/sympa/arc/heimdal-discuss>
List-Help: <mailto:sympa@sics.se?subject=help>
List-Id: <heimdal-discuss.sics.se>
List-Owner: <mailto:heimdal-discuss-request@sics.se>
List-Post: <mailto:heimdal-discuss@sics.se>
List-Subscribe: <mailto:sympa@sics.se?subject=subscribe%20heimdal-discuss>
List-Unsubscribe: <mailto:sympa@sics.se?subject=unsubscribe%20heimdal-discuss>
References: <20080528161545.3b01bbc5.miallen@ioplex.com> <92911A79-07C9-448A-BBF7-9306024E0EAF@kth.se> <20080528223229.2f8c0aa4.miallen@ioplex.com> <483EB7C2.7090305@anl.gov> <45A5967E-75F1-4AF8-BB3C-52C7BD6D0B30@mit.edu> <20080529141939.eae9ce59.miallen@ioplex.com> <CB2034A9-F5CA-40E9-8619-AA88F706EE7E@MIT.EDU> <20080529174456.c295dad0.miallen@ioplex.com>
Reply-To: heimdal-discuss@sics.se, Ken Raeburn <raeburn@MIT.EDU>

On May 29, 2008, at 17:44, Michael B Allen wrote:
>> I would think you'd want to bury this code in the library, and maybe
>> have a flag at the API layer enabling or disabling the use of the
>> cached data, but otherwise leave it for the internal implementation,
>> which has access to all that info.  Why do you think it should be  
>> at a
>> higher level?
>
> Because the library doesn't know how the application would like to  
> cache
> ETYPE_INFO data.
>
> Some applications might want to put it in a file (e.g. kinit). In my
> scenario simply saving the one ETYPE_INFO as a hint in a static  
> variable
> of the function calling krb5_get_init_creds_whatever would be  
> sufficient
> to eliminate 99% of the faulty AS-REQs.

Ah, I see.  I figured it would be the library, and thus independent of  
whatever application was doing the caching, and applicable even if you  
use a different application to get credentials the next time (e.g.,  
pam at login time, then kinit after expiration).  But I guess there  
are cases where you don't have, for example, a home directory  
available, and you may need to do something else...

The etype-info data cache will probably solve a lot of cases, but if  
you need to use preauth, you still wind up having to configure that,  
or incur the round-trip to have the KDC tell you.  Saving the preauth  
type too -- or maybe exporting a opaque "AS-REQ info cache" blob from  
the library, which might be extended later -- might be better.  Maybe  
the opaque blob only contains etype-info to start, but is set up to be  
extensible?

Ken

References:
- preauth_always option?
  - From: Michael B Allen <miallen@ioplex.com>
- Re: preauth_always option?
  - From: Love Hörnquist Åstrand <lha@kth.se>
- Re: preauth_always option?
  - From: Michael B Allen <miallen@ioplex.com>
- Re: preauth_always option?
  - From: "Douglas E. Engert" <deengert@anl.gov>
- Re: preauth_always option?
  - From: Ken Raeburn <raeburn@MIT.EDU>
- Re: preauth_always option?
  - From: Michael B Allen <miallen@ioplex.com>
- Re: preauth_always option?
  - From: Ken Raeburn <raeburn@MIT.EDU>
- Re: preauth_always option?
  - From: Michael B Allen <miallen@ioplex.com>

Prev by Date: Re: preauth_always option?
Next by Date: Re: preauth_always option?
Prev by thread: Re: preauth_always option?
Next by thread: Re: preauth_always option?
Index(es):
- Date
- Thread