diff options
author | Ben Kaduk <kaduk@mit.edu> | 2012-10-15 14:39:15 -0400 |
---|---|---|
committer | Ben Kaduk <kaduk@mit.edu> | 2012-10-15 19:20:44 -0400 |
commit | e95f9f6875f4cbcae60fe96696eb83a6972bbf26 (patch) | |
tree | a56a1baa43cb89187aaba76ab1eb8836511effed /doc/plugindev/clpreauth.rst | |
parent | ee26c4bbf4fc271ebf76d50a23ca27ef74220404 (diff) | |
download | krb5-e95f9f6875f4cbcae60fe96696eb83a6972bbf26.tar.gz krb5-e95f9f6875f4cbcae60fe96696eb83a6972bbf26.tar.xz krb5-e95f9f6875f4cbcae60fe96696eb83a6972bbf26.zip |
Massive reST content rename
All of rst_source/ is now just in doc/.
The krb_ prefix is stripped from the document sub-directories.
rst_tools are now just tools.
The section headers of kadmind, krb5kdc, and sserver match as conflict markers.
bigredbutton: whitespace
ticket: 7409
Diffstat (limited to 'doc/plugindev/clpreauth.rst')
-rw-r--r-- | doc/plugindev/clpreauth.rst | 53 |
1 files changed, 53 insertions, 0 deletions
diff --git a/doc/plugindev/clpreauth.rst b/doc/plugindev/clpreauth.rst new file mode 100644 index 0000000000..68e56aa5f1 --- /dev/null +++ b/doc/plugindev/clpreauth.rst @@ -0,0 +1,53 @@ +Client preauthentication interface (clpreauth) +============================================== + +During an initial ticket request, a KDC may ask a client to prove its +knowledge of the password before issuing an encrypted ticket, or to +use credentials other than a password. This process is called +preauthentication, and is described in :rfc:`4120` and :rfc:`6113`. +The clpreauth interface allows the addition of client support for +preauthentication mechanisms beyond those included in the core MIT +krb5 code base. For a detailed description of the clpreauth +interface, see the header file ``<krb5/preauth_plugin.h>``. + +A clpreauth module is generally responsible for: + +* Supplying a list of preauth type numbers used by the module in the + **pa_type_list** field of the vtable structure. + +* Indicating what kind of preauthentication mechanism it implements, + with the **flags** method. In the most common case, this method + just returns ``PA_REAL``, indicating that it implements a normal + preauthentication type. + +* Examining the padata information included in the preauth_required + error and producing padata values for the next AS request. This is + done with the **process** method. + +* Examining the padata information included in a successful ticket + reply, possibly verifying the KDC identity and computing a reply + key. This is also done with the **process** method. + +* For preauthentication types which support it, recovering from errors + by examining the error data from the KDC and producing a padata + value for another AS request. This is done with the **tryagain** + method. + +* Receiving option information (supplied by ``kinit -X`` or by an + application), with the **gic_opts** method. + +A clpreauth module can create and destroy per-library-context and +per-request state objects by implementing the **init**, **fini**, +**request_init**, and **request_fini** methods. Per-context state +objects have the type krb5_clpreauth_moddata, and per-request state +objects have the type krb5_clpreauth_modreq. These are abstract +pointer types; a module should typically cast these to internal +types for the state objects. + +The **process** and **tryagain** methods have access to a callback +function and handle (called a "rock") which can be used to get +additional information about the current request, including the +expected enctype of the AS reply, the FAST armor key, and the client +long-term key (prompting for the user password if necessary). A +callback can also be used to replace the AS reply key if the +preauthentication mechanism computes one. |