<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Client preauthentication interface (clpreauth) — MIT Kerberos Documentation</title>
<link rel="stylesheet" href="../_static/agogo.css" type="text/css" />
<link rel="stylesheet" href="../_static/pygments.css" type="text/css" />
<link rel="stylesheet" href="../_static/kerb.css" type="text/css" />
<script type="text/javascript">
var DOCUMENTATION_OPTIONS = {
URL_ROOT: '../',
VERSION: '1.18.2',
COLLAPSE_INDEX: false,
FILE_SUFFIX: '.html',
HAS_SOURCE: true,
SOURCELINK_SUFFIX: '.txt'
};
</script>
<script type="text/javascript" src="../_static/jquery.js"></script>
<script type="text/javascript" src="../_static/underscore.js"></script>
<script type="text/javascript" src="../_static/doctools.js"></script>
<link rel="author" title="About these documents" href="../about.html" />
<link rel="index" title="Index" href="../genindex.html" />
<link rel="search" title="Search" href="../search.html" />
<link rel="copyright" title="Copyright" href="../copyright.html" />
<link rel="next" title="KDC preauthentication interface (kdcpreauth)" href="kdcpreauth.html" />
<link rel="prev" title="General plugin concepts" href="general.html" />
</head>
<body>
<div class="header-wrapper">
<div class="header">
<h1><a href="../index.html">MIT Kerberos Documentation</a></h1>
<div class="rel">
<a href="../index.html" title="Full Table of Contents"
accesskey="C">Contents</a> |
<a href="general.html" title="General plugin concepts"
accesskey="P">previous</a> |
<a href="kdcpreauth.html" title="KDC preauthentication interface (kdcpreauth)"
accesskey="N">next</a> |
<a href="../genindex.html" title="General Index"
accesskey="I">index</a> |
<a href="../search.html" title="Enter search criteria"
accesskey="S">Search</a> |
<a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Client preauthentication interface (clpreauth)">feedback</a>
</div>
</div>
</div>
<div class="content-wrapper">
<div class="content">
<div class="document">
<div class="documentwrapper">
<div class="bodywrapper">
<div class="body" role="main">
<div class="section" id="client-preauthentication-interface-clpreauth">
<h1>Client preauthentication interface (clpreauth)<a class="headerlink" href="#client-preauthentication-interface-clpreauth" title="Permalink to this headline">¶</a></h1>
<p>During an initial ticket request, a KDC may ask a client to prove its
knowledge of the password before issuing an encrypted ticket, or to
use credentials other than a password. This process is called
preauthentication, and is described in <span class="target" id="index-0"></span><a class="rfc reference external" href="https://tools.ietf.org/html/rfc4120.html"><strong>RFC 4120</strong></a> and <span class="target" id="index-1"></span><a class="rfc reference external" href="https://tools.ietf.org/html/rfc6113.html"><strong>RFC 6113</strong></a>.
The clpreauth interface allows the addition of client support for
preauthentication mechanisms beyond those included in the core MIT
krb5 code base. For a detailed description of the clpreauth
interface, see the header file <code class="docutils literal"><span class="pre"><krb5/clpreauth_plugin.h></span></code> (or
<code class="docutils literal"><span class="pre"><krb5/preauth_plugin.h></span></code> before release 1.12).</p>
<p>A clpreauth module is generally responsible for:</p>
<ul class="simple">
<li>Supplying a list of preauth type numbers used by the module in the
<strong>pa_type_list</strong> field of the vtable structure.</li>
<li>Indicating what kind of preauthentication mechanism it implements,
with the <strong>flags</strong> method. In the most common case, this method
just returns <code class="docutils literal"><span class="pre">PA_REAL</span></code>, indicating that it implements a normal
preauthentication type.</li>
<li>Examining the padata information included in a PREAUTH_REQUIRED or
MORE_PREAUTH_DATA_REQUIRED error and producing padata values for the
next AS request. This is done with the <strong>process</strong> method.</li>
<li>Examining the padata information included in a successful ticket
reply, possibly verifying the KDC identity and computing a reply
key. This is also done with the <strong>process</strong> method.</li>
<li>For preauthentication types which support it, recovering from errors
by examining the error data from the KDC and producing a padata
value for another AS request. This is done with the <strong>tryagain</strong>
method.</li>
<li>Receiving option information (supplied by <code class="docutils literal"><span class="pre">kinit</span> <span class="pre">-X</span></code> or by an
application), with the <strong>gic_opts</strong> method.</li>
</ul>
<p>A clpreauth module can create and destroy per-library-context and
per-request state objects by implementing the <strong>init</strong>, <strong>fini</strong>,
<strong>request_init</strong>, and <strong>request_fini</strong> methods. Per-context state
objects have the type krb5_clpreauth_moddata, and per-request state
objects have the type krb5_clpreauth_modreq. These are abstract
pointer types; a module should typically cast these to internal
types for the state objects.</p>
<p>The <strong>process</strong> and <strong>tryagain</strong> methods have access to a callback
function and handle (called a “rock”) which can be used to get
additional information about the current request, including the
expected enctype of the AS reply, the FAST armor key, and the client
long-term key (prompting for the user password if necessary). A
callback can also be used to replace the AS reply key if the
preauthentication mechanism computes one.</p>
</div>
</div>
</div>
</div>
</div>
<div class="sidebar">
<h2>On this page</h2>
<ul>
<li><a class="reference internal" href="#">Client preauthentication interface (clpreauth)</a></li>
</ul>
<br/>
<h2>Table of contents</h2>
<ul class="current">
<li class="toctree-l1"><a class="reference internal" href="../user/index.html">For users</a></li>
<li class="toctree-l1"><a class="reference internal" href="../admin/index.html">For administrators</a></li>
<li class="toctree-l1"><a class="reference internal" href="../appdev/index.html">For application developers</a></li>
<li class="toctree-l1 current"><a class="reference internal" href="index.html">For plugin module developers</a><ul class="current">
<li class="toctree-l2"><a class="reference internal" href="general.html">General plugin concepts</a></li>
<li class="toctree-l2 current"><a class="current reference internal" href="#">Client preauthentication interface (clpreauth)</a></li>
<li class="toctree-l2"><a class="reference internal" href="kdcpreauth.html">KDC preauthentication interface (kdcpreauth)</a></li>
<li class="toctree-l2"><a class="reference internal" href="ccselect.html">Credential cache selection interface (ccselect)</a></li>
<li class="toctree-l2"><a class="reference internal" href="pwqual.html">Password quality interface (pwqual)</a></li>
<li class="toctree-l2"><a class="reference internal" href="kadm5_hook.html">KADM5 hook interface (kadm5_hook)</a></li>
<li class="toctree-l2"><a class="reference internal" href="kadm5_auth.html">kadmin authorization interface (kadm5_auth)</a></li>
<li class="toctree-l2"><a class="reference internal" href="hostrealm.html">Host-to-realm interface (hostrealm)</a></li>
<li class="toctree-l2"><a class="reference internal" href="localauth.html">Local authorization interface (localauth)</a></li>
<li class="toctree-l2"><a class="reference internal" href="locate.html">Server location interface (locate)</a></li>
<li class="toctree-l2"><a class="reference internal" href="profile.html">Configuration interface (profile)</a></li>
<li class="toctree-l2"><a class="reference internal" href="gssapi.html">GSSAPI mechanism interface</a></li>
<li class="toctree-l2"><a class="reference internal" href="internal.html">Internal pluggable interfaces</a></li>
<li class="toctree-l2"><a class="reference internal" href="certauth.html">PKINIT certificate authorization interface (certauth)</a></li>
<li class="toctree-l2"><a class="reference internal" href="kdcpolicy.html">KDC policy interface (kdcpolicy)</a></li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="../build/index.html">Building Kerberos V5</a></li>
<li class="toctree-l1"><a class="reference internal" href="../basic/index.html">Kerberos V5 concepts</a></li>
<li class="toctree-l1"><a class="reference internal" href="../formats/index.html">Protocols and file formats</a></li>
<li class="toctree-l1"><a class="reference internal" href="../mitK5features.html">MIT Kerberos features</a></li>
<li class="toctree-l1"><a class="reference internal" href="../build_this.html">How to build this documentation from the source</a></li>
<li class="toctree-l1"><a class="reference internal" href="../about.html">Contributing to the MIT Kerberos Documentation</a></li>
<li class="toctree-l1"><a class="reference internal" href="../resources.html">Resources</a></li>
</ul>
<br/>
<h4><a href="../index.html">Full Table of Contents</a></h4>
<h4>Search</h4>
<form class="search" action="../search.html" method="get">
<input type="text" name="q" size="18" />
<input type="submit" value="Go" />
<input type="hidden" name="check_keywords" value="yes" />
<input type="hidden" name="area" value="default" />
</form>
</div>
<div class="clearer"></div>
</div>
</div>
<div class="footer-wrapper">
<div class="footer" >
<div class="right" ><i>Release: 1.18.2</i><br />
© <a href="../copyright.html">Copyright</a> 1985-2020, MIT.
</div>
<div class="left">
<a href="../index.html" title="Full Table of Contents"
>Contents</a> |
<a href="general.html" title="General plugin concepts"
>previous</a> |
<a href="kdcpreauth.html" title="KDC preauthentication interface (kdcpreauth)"
>next</a> |
<a href="../genindex.html" title="General Index"
>index</a> |
<a href="../search.html" title="Enter search criteria"
>Search</a> |
<a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Client preauthentication interface (clpreauth)">feedback</a>
</div>
</div>
</div>
</body>
</html>