|
Packit |
fd8b60 |
KDC preauthentication interface (kdcpreauth)
|
|
Packit |
fd8b60 |
============================================
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
The kdcpreauth interface allows the addition of KDC support for
|
|
Packit |
fd8b60 |
preauthentication mechanisms beyond those included in the core MIT
|
|
Packit |
fd8b60 |
krb5 code base. For a detailed description of the kdcpreauth
|
|
Packit |
fd8b60 |
interface, see the header file ``<krb5/kdcpreauth_plugin.h>`` (or
|
|
Packit |
fd8b60 |
``<krb5/preauth_plugin.h>`` before release 1.12).
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
A kdcpreauth module is generally responsible for:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
* Supplying a list of preauth type numbers used by the module in the
|
|
Packit |
fd8b60 |
**pa_type_list** field of the vtable structure.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
* Indicating what kind of preauthentication mechanism it implements,
|
|
Packit |
fd8b60 |
with the **flags** method. If the mechanism computes a new reply
|
|
Packit |
fd8b60 |
key, it must specify the ``PA_REPLACES_KEY`` flag. If the mechanism
|
|
Packit |
fd8b60 |
is generally only used with hardware tokens, the ``PA_HARDWARE``
|
|
Packit |
fd8b60 |
flag allows the mechanism to work with principals which have the
|
|
Packit |
fd8b60 |
**requires_hwauth** flag set.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
* Producing a padata value to be sent with a preauth_required error,
|
|
Packit |
fd8b60 |
with the **edata** method.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
* Examining a padata value sent by a client and verifying that it
|
|
Packit |
fd8b60 |
proves knowledge of the appropriate client credential information.
|
|
Packit |
fd8b60 |
This is done with the **verify** method.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
* Producing a padata response value for the client, and possibly
|
|
Packit |
fd8b60 |
computing a reply key. This is done with the **return_padata**
|
|
Packit |
fd8b60 |
method.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
A module can create and destroy per-KDC state objects by implementing
|
|
Packit |
fd8b60 |
the **init** and **fini** methods. Per-KDC state objects have the
|
|
Packit |
fd8b60 |
type krb5_kdcpreauth_moddata, which is an abstract pointer types. A
|
|
Packit |
fd8b60 |
module should typically cast this to an internal type for the state
|
|
Packit |
fd8b60 |
object.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
A module can create a per-request state object by returning one in the
|
|
Packit |
fd8b60 |
**verify** method, receiving it in the **return_padata** method, and
|
|
Packit |
fd8b60 |
destroying it in the **free_modreq** method. Note that these state
|
|
Packit |
fd8b60 |
objects only apply to the processing of a single AS request packet,
|
|
Packit |
fd8b60 |
not to an entire authentication exchange (since an authentication
|
|
Packit |
fd8b60 |
exchange may remain unfinished by the client or may involve multiple
|
|
Packit |
fd8b60 |
different KDC hosts). Per-request state objects have the type
|
|
Packit |
fd8b60 |
krb5_kdcpreauth_modreq, which is an abstract pointer type.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
The **edata**, **verify**, and **return_padata** methods have access
|
|
Packit |
fd8b60 |
to a callback function and handle (called a "rock") which can be used
|
|
Packit |
fd8b60 |
to get additional information about the current request, including the
|
|
Packit |
fd8b60 |
maximum allowable clock skew, the client's long-term keys, the
|
|
Packit |
fd8b60 |
DER-encoded request body, the FAST armor key, string attributes on the
|
|
Packit |
fd8b60 |
client's database entry, and the client's database entry itself. The
|
|
Packit |
fd8b60 |
**verify** method can assert one or more authentication indicators to
|
|
Packit |
fd8b60 |
be included in the issued ticket using the ``add_auth_indicator``
|
|
Packit |
fd8b60 |
callback (new in release 1.14).
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
A module can generate state information to be included with the next
|
|
Packit |
fd8b60 |
client request using the ``set_cookie`` callback (new in release
|
|
Packit |
fd8b60 |
1.14). On the next request, the module can read this state
|
|
Packit |
fd8b60 |
information using the ``get_cookie`` callback. Cookie information is
|
|
Packit |
fd8b60 |
encrypted, timestamped, and transmitted to the client in a
|
|
Packit |
fd8b60 |
``PA-FX-COOKIE`` pa-data item. Older clients may not support cookies
|
|
Packit |
fd8b60 |
and therefore may not transmit the cookie in the next request; in this
|
|
Packit |
fd8b60 |
case, ``get_cookie`` will not yield the saved information.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
If a module implements a mechanism which requires multiple round
|
|
Packit |
fd8b60 |
trips, its **verify** method can respond with the code
|
|
Packit |
fd8b60 |
``KRB5KDC_ERR_MORE_PREAUTH_DATA_REQUIRED`` and a list of pa-data in
|
|
Packit |
fd8b60 |
the *e_data* parameter to be processed by the client.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
The **edata** and **verify** methods can be implemented
|
|
Packit |
fd8b60 |
asynchronously. Because of this, they do not return values directly
|
|
Packit |
fd8b60 |
to the caller, but must instead invoke responder functions with their
|
|
Packit |
fd8b60 |
results. A synchronous implementation can invoke the responder
|
|
Packit |
fd8b60 |
function immediately. An asynchronous implementation can use the
|
|
Packit |
fd8b60 |
callback to get an event context for use with the libverto_ API.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
.. _libverto: https://fedorahosted.org/libverto/
|