doc/html/plugindev/clpreauth.html


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
  "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://www.w3.org/1999/xhtml">
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
    
    <title>Client preauthentication interface (clpreauth) &mdash; MIT Kerberos Documentation</title>
    
    <link rel="stylesheet" href="../_static/agogo.css" type="text/css" />
    <link rel="stylesheet" href="../_static/pygments.css" type="text/css" />
    <link rel="stylesheet" href="../_static/kerb.css" type="text/css" />
    
    <script type="text/javascript">
      var DOCUMENTATION_OPTIONS = {
        URL_ROOT:    '../',
        VERSION:     '1.15.1',
        COLLAPSE_INDEX: false,
        FILE_SUFFIX: '.html',
        HAS_SOURCE:  true
      };
    </script>
    <script type="text/javascript" src="../_static/jquery.js"></script>
    <script type="text/javascript" src="../_static/underscore.js"></script>
    <script type="text/javascript" src="../_static/doctools.js"></script>
    <link rel="author" title="About these documents" href="../about.html" />
    <link rel="copyright" title="Copyright" href="../copyright.html" />
    <link rel="top" title="MIT Kerberos Documentation" href="../index.html" />
    <link rel="up" title="For plugin module developers" href="index.html" />
    <link rel="next" title="KDC preauthentication interface (kdcpreauth)" href="kdcpreauth.html" />
    <link rel="prev" title="General plugin concepts" href="general.html" /> 
  </head>
  <body>
    <div class="header-wrapper">
        <div class="header">
            
            
            <h1><a href="../index.html">MIT Kerberos Documentation</a></h1>
            
            <div class="rel">
                
        <a href="../index.html" title="Full Table of Contents"
            accesskey="C">Contents</a> |
        <a href="general.html" title="General plugin concepts"
            accesskey="P">previous</a> |
        <a href="kdcpreauth.html" title="KDC preauthentication interface (kdcpreauth)"
            accesskey="N">next</a> |
        <a href="../genindex.html" title="General Index"
            accesskey="I">index</a> |
        <a href="../search.html" title="Enter search criteria"
            accesskey="S">Search</a> |
    <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Client preauthentication interface (clpreauth)">feedback</a>
            </div>
        </div>
    </div>

    <div class="content-wrapper">
      <div class="content">
        <div class="document">
            
      <div class="documentwrapper">
        <div class="bodywrapper">
          <div class="body">
            
  <div class="section" id="client-preauthentication-interface-clpreauth">
<h1>Client preauthentication interface (clpreauth)<a class="headerlink" href="#client-preauthentication-interface-clpreauth" title="Permalink to this headline">¶</a></h1>
<p>During an initial ticket request, a KDC may ask a client to prove its
knowledge of the password before issuing an encrypted ticket, or to
use credentials other than a password.  This process is called
preauthentication, and is described in <span class="target" id="index-0"></span><a class="rfc reference external" href="http://tools.ietf.org/html/rfc4120.html"><strong>RFC 4120</strong></a> and <span class="target" id="index-1"></span><a class="rfc reference external" href="http://tools.ietf.org/html/rfc6113.html"><strong>RFC 6113</strong></a>.
The clpreauth interface allows the addition of client support for
preauthentication mechanisms beyond those included in the core MIT
krb5 code base.  For a detailed description of the clpreauth
interface, see the header file <tt class="docutils literal"><span class="pre">&lt;krb5/clpreauth_plugin.h&gt;</span></tt> (or
<tt class="docutils literal"><span class="pre">&lt;krb5/preauth_plugin.h&gt;</span></tt> before release 1.12).</p>
<p>A clpreauth module is generally responsible for:</p>
<ul class="simple">
<li>Supplying a list of preauth type numbers used by the module in the
<strong>pa_type_list</strong> field of the vtable structure.</li>
<li>Indicating what kind of preauthentication mechanism it implements,
with the <strong>flags</strong> method.  In the most common case, this method
just returns <tt class="docutils literal"><span class="pre">PA_REAL</span></tt>, indicating that it implements a normal
preauthentication type.</li>
<li>Examining the padata information included in a PREAUTH_REQUIRED or
MORE_PREAUTH_DATA_REQUIRED error and producing padata values for the
next AS request.  This is done with the <strong>process</strong> method.</li>
<li>Examining the padata information included in a successful ticket
reply, possibly verifying the KDC identity and computing a reply
key.  This is also done with the <strong>process</strong> method.</li>
<li>For preauthentication types which support it, recovering from errors
by examining the error data from the KDC and producing a padata
value for another AS request.  This is done with the <strong>tryagain</strong>
method.</li>
<li>Receiving option information (supplied by <tt class="docutils literal"><span class="pre">kinit</span> <span class="pre">-X</span></tt> or by an
application), with the <strong>gic_opts</strong> method.</li>
</ul>
<p>A clpreauth module can create and destroy per-library-context and
per-request state objects by implementing the <strong>init</strong>, <strong>fini</strong>,
<strong>request_init</strong>, and <strong>request_fini</strong> methods.  Per-context state
objects have the type krb5_clpreauth_moddata, and per-request state
objects have the type krb5_clpreauth_modreq.  These are abstract
pointer types; a module should typically cast these to internal
types for the state objects.</p>
<p>The <strong>process</strong> and <strong>tryagain</strong> methods have access to a callback
function and handle (called a &#8220;rock&#8221;) which can be used to get
additional information about the current request, including the
expected enctype of the AS reply, the FAST armor key, and the client
long-term key (prompting for the user password if necessary).  A
callback can also be used to replace the AS reply key if the
preauthentication mechanism computes one.</p>
</div>


          </div>
        </div>
      </div>
        </div>
        <div class="sidebar">
    <h2>On this page</h2>
    <ul>
<li><a class="reference internal" href="#">Client preauthentication interface (clpreauth)</a></li>
</ul>

    <br/>
    <h2>Table of contents</h2>
    <ul class="current">
<li class="toctree-l1"><a class="reference internal" href="../user/index.html">For users</a></li>
<li class="toctree-l1"><a class="reference internal" href="../admin/index.html">For administrators</a></li>
<li class="toctree-l1"><a class="reference internal" href="../appdev/index.html">For application developers</a></li>
<li class="toctree-l1 current"><a class="reference internal" href="index.html">For plugin module developers</a><ul class="current">
<li class="toctree-l2"><a class="reference internal" href="general.html">General plugin concepts</a></li>
<li class="toctree-l2 current"><a class="current reference internal" href="">Client preauthentication interface (clpreauth)</a></li>
<li class="toctree-l2"><a class="reference internal" href="kdcpreauth.html">KDC preauthentication interface (kdcpreauth)</a></li>
<li class="toctree-l2"><a class="reference internal" href="ccselect.html">Credential cache selection interface (ccselect)</a></li>
<li class="toctree-l2"><a class="reference internal" href="pwqual.html">Password quality interface (pwqual)</a></li>
<li class="toctree-l2"><a class="reference internal" href="kadm5_hook.html">KADM5 hook interface (kadm5_hook)</a></li>
<li class="toctree-l2"><a class="reference internal" href="hostrealm.html">Host-to-realm interface (hostrealm)</a></li>
<li class="toctree-l2"><a class="reference internal" href="localauth.html">Local authorization interface (localauth)</a></li>
<li class="toctree-l2"><a class="reference internal" href="locate.html">Server location interface (locate)</a></li>
<li class="toctree-l2"><a class="reference internal" href="profile.html">Configuration interface (profile)</a></li>
<li class="toctree-l2"><a class="reference internal" href="gssapi.html">GSSAPI mechanism interface</a></li>
<li class="toctree-l2"><a class="reference internal" href="internal.html">Internal pluggable interfaces</a></li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="../build/index.html">Building Kerberos V5</a></li>
<li class="toctree-l1"><a class="reference internal" href="../basic/index.html">Kerberos V5 concepts</a></li>
<li class="toctree-l1"><a class="reference internal" href="../formats/index.html">Protocols and file formats</a></li>
<li class="toctree-l1"><a class="reference internal" href="../mitK5features.html">MIT Kerberos features</a></li>
<li class="toctree-l1"><a class="reference internal" href="../build_this.html">How to build this documentation from the source</a></li>
<li class="toctree-l1"><a class="reference internal" href="../about.html">Contributing to the MIT Kerberos Documentation</a></li>
<li class="toctree-l1"><a class="reference internal" href="../resources.html">Resources</a></li>
</ul>

    <br/>
    <h4><a href="../index.html">Full Table of Contents</a></h4>
    <h4>Search</h4>
    <form class="search" action="../search.html" method="get">
      <input type="text" name="q" size="18" />
      <input type="submit" value="Go" />
      <input type="hidden" name="check_keywords" value="yes" />
      <input type="hidden" name="area" value="default" />
    </form>
        </div>
        <div class="clearer"></div>
      </div>
    </div>

    <div class="footer-wrapper">
        <div class="footer" >
            <div class="right" ><i>Release: 1.15.1</i><br />
                &copy; <a href="../copyright.html">Copyright</a> 1985-2017, MIT.
            </div>
            <div class="left">
                
        <a href="../index.html" title="Full Table of Contents"
            >Contents</a> |
        <a href="general.html" title="General plugin concepts"
            >previous</a> |
        <a href="kdcpreauth.html" title="KDC preauthentication interface (kdcpreauth)"
            >next</a> |
        <a href="../genindex.html" title="General Index"
            >index</a> |
        <a href="../search.html" title="Enter search criteria"
            >Search</a> |
    <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Client preauthentication interface (clpreauth)">feedback</a>
            </div>
        </div>
    </div>

  </body>
</html>