1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
|
Client preauthentication interface (clpreauth)
==============================================
During an initial ticket request, a KDC may ask a client to prove its
knowledge of the password before issuing an encrypted ticket, or to
use credentials other than a password. This process is called
preauthentication, and is described in :rfc:`4120` and :rfc:`6113`.
The clpreauth interface allows the addition of client support for
preauthentication mechanisms beyond those included in the core MIT
krb5 code base. For a detailed description of the clpreauth
interface, see the header file ``<krb5/clpreauth_plugin.h>`` (or
``<krb5/preauth_plugin.h>`` before release 1.12).
A clpreauth module is generally responsible for:
* Supplying a list of preauth type numbers used by the module in the
**pa_type_list** field of the vtable structure.
* Indicating what kind of preauthentication mechanism it implements,
with the **flags** method. In the most common case, this method
just returns ``PA_REAL``, indicating that it implements a normal
preauthentication type.
* Examining the padata information included in the preauth_required
error and producing padata values for the next AS request. This is
done with the **process** method.
* Examining the padata information included in a successful ticket
reply, possibly verifying the KDC identity and computing a reply
key. This is also done with the **process** method.
* For preauthentication types which support it, recovering from errors
by examining the error data from the KDC and producing a padata
value for another AS request. This is done with the **tryagain**
method.
* Receiving option information (supplied by ``kinit -X`` or by an
application), with the **gic_opts** method.
A clpreauth module can create and destroy per-library-context and
per-request state objects by implementing the **init**, **fini**,
**request_init**, and **request_fini** methods. Per-context state
objects have the type krb5_clpreauth_moddata, and per-request state
objects have the type krb5_clpreauth_modreq. These are abstract
pointer types; a module should typically cast these to internal
types for the state objects.
The **process** and **tryagain** methods have access to a callback
function and handle (called a "rock") which can be used to get
additional information about the current request, including the
expected enctype of the AS reply, the FAST armor key, and the client
long-term key (prompting for the user password if necessary). A
callback can also be used to replace the AS reply key if the
preauthentication mechanism computes one.
|
