"Fossies" - the Fresh Open Source Software Archive

Member "krb5-1.18/doc/plugindev/clpreauth.rst" (12 Feb 2020, 2653 Bytes) of package /linux/misc/krb5-1.18.tar.gz:


As a special service "Fossies" has tried to format the requested source page into HTML format (assuming markdown format). Alternatively you can here view or download the uninterpreted source code file. A member file download can also be achieved by clicking within a package contents listing on the according byte size field.

Client preauthentication interface (clpreauth)

During an initial ticket request, a KDC may ask a client to prove its knowledge of the password before issuing an encrypted ticket, or to use credentials other than a password. This process is called preauthentication, and is described in 4120 and 6113. The clpreauth interface allows the addition of client support for preauthentication mechanisms beyond those included in the core MIT krb5 code base. For a detailed description of the clpreauth interface, see the header file <krb5/clpreauth_plugin.h> (or <krb5/preauth_plugin.h> before release 1.12).

A clpreauth module is generally responsible for:

A clpreauth module can create and destroy per-library-context and per-request state objects by implementing the init, fini, request_init, and request_fini methods. Per-context state objects have the type krb5_clpreauth_moddata, and per-request state objects have the type krb5_clpreauth_modreq. These are abstract pointer types; a module should typically cast these to internal types for the state objects.

The process and tryagain methods have access to a callback function and handle (called a "rock") which can be used to get additional information about the current request, including the expected enctype of the AS reply, the FAST armor key, and the client long-term key (prompting for the user password if necessary). A callback can also be used to replace the AS reply key if the preauthentication mechanism computes one.