|
Packit |
fd8b60 |
Client preauthentication interface (clpreauth)
|
|
Packit |
fd8b60 |
==============================================
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
During an initial ticket request, a KDC may ask a client to prove its
|
|
Packit |
fd8b60 |
knowledge of the password before issuing an encrypted ticket, or to
|
|
Packit |
fd8b60 |
use credentials other than a password. This process is called
|
|
Packit |
fd8b60 |
preauthentication, and is described in :rfc:`4120` and :rfc:`6113`.
|
|
Packit |
fd8b60 |
The clpreauth interface allows the addition of client support for
|
|
Packit |
fd8b60 |
preauthentication mechanisms beyond those included in the core MIT
|
|
Packit |
fd8b60 |
krb5 code base. For a detailed description of the clpreauth
|
|
Packit |
fd8b60 |
interface, see the header file ``<krb5/clpreauth_plugin.h>`` (or
|
|
Packit |
fd8b60 |
``<krb5/preauth_plugin.h>`` before release 1.12).
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
A clpreauth module is generally responsible for:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
* Supplying a list of preauth type numbers used by the module in the
|
|
Packit |
fd8b60 |
**pa_type_list** field of the vtable structure.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
* Indicating what kind of preauthentication mechanism it implements,
|
|
Packit |
fd8b60 |
with the **flags** method. In the most common case, this method
|
|
Packit |
fd8b60 |
just returns ``PA_REAL``, indicating that it implements a normal
|
|
Packit |
fd8b60 |
preauthentication type.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
* Examining the padata information included in a PREAUTH_REQUIRED or
|
|
Packit |
fd8b60 |
MORE_PREAUTH_DATA_REQUIRED error and producing padata values for the
|
|
Packit |
fd8b60 |
next AS request. This is done with the **process** method.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
* Examining the padata information included in a successful ticket
|
|
Packit |
fd8b60 |
reply, possibly verifying the KDC identity and computing a reply
|
|
Packit |
fd8b60 |
key. This is also done with the **process** method.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
* For preauthentication types which support it, recovering from errors
|
|
Packit |
fd8b60 |
by examining the error data from the KDC and producing a padata
|
|
Packit |
fd8b60 |
value for another AS request. This is done with the **tryagain**
|
|
Packit |
fd8b60 |
method.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
* Receiving option information (supplied by ``kinit -X`` or by an
|
|
Packit |
fd8b60 |
application), with the **gic_opts** method.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
A clpreauth module can create and destroy per-library-context and
|
|
Packit |
fd8b60 |
per-request state objects by implementing the **init**, **fini**,
|
|
Packit |
fd8b60 |
**request_init**, and **request_fini** methods. Per-context state
|
|
Packit |
fd8b60 |
objects have the type krb5_clpreauth_moddata, and per-request state
|
|
Packit |
fd8b60 |
objects have the type krb5_clpreauth_modreq. These are abstract
|
|
Packit |
fd8b60 |
pointer types; a module should typically cast these to internal
|
|
Packit |
fd8b60 |
types for the state objects.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
The **process** and **tryagain** methods have access to a callback
|
|
Packit |
fd8b60 |
function and handle (called a "rock") which can be used to get
|
|
Packit |
fd8b60 |
additional information about the current request, including the
|
|
Packit |
fd8b60 |
expected enctype of the AS reply, the FAST armor key, and the client
|
|
Packit |
fd8b60 |
long-term key (prompting for the user password if necessary). A
|
|
Packit |
fd8b60 |
callback can also be used to replace the AS reply key if the
|
|
Packit |
fd8b60 |
preauthentication mechanism computes one.
|