1 2<!DOCTYPE html> 3 4<html> 5 <head> 6 <meta charset="utf-8" /> 7 <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="generator" content="Docutils 0.17.1: http://docutils.sourceforge.net/" /> 8 9 <title>Client preauthentication interface (clpreauth) — MIT Kerberos Documentation</title> 10 <link rel="stylesheet" type="text/css" href="../_static/pygments.css" /> 11 <link rel="stylesheet" type="text/css" href="../_static/agogo.css" /> 12 <link rel="stylesheet" type="text/css" href="../_static/kerb.css" /> 13 <script data-url_root="../" id="documentation_options" src="../_static/documentation_options.js"></script> 14 <script src="../_static/jquery.js"></script> 15 <script src="../_static/underscore.js"></script> 16 <script src="../_static/doctools.js"></script> 17 <link rel="author" title="About these documents" href="../about.html" /> 18 <link rel="index" title="Index" href="../genindex.html" /> 19 <link rel="search" title="Search" href="../search.html" /> 20 <link rel="copyright" title="Copyright" href="../copyright.html" /> 21 <link rel="next" title="KDC preauthentication interface (kdcpreauth)" href="kdcpreauth.html" /> 22 <link rel="prev" title="General plugin concepts" href="general.html" /> 23 </head><body> 24 <div class="header-wrapper"> 25 <div class="header"> 26 27 28 <h1><a href="../index.html">MIT Kerberos Documentation</a></h1> 29 30 <div class="rel"> 31 32 <a href="../index.html" title="Full Table of Contents" 33 accesskey="C">Contents</a> | 34 <a href="general.html" title="General plugin concepts" 35 accesskey="P">previous</a> | 36 <a href="kdcpreauth.html" title="KDC preauthentication interface (kdcpreauth)" 37 accesskey="N">next</a> | 38 <a href="../genindex.html" title="General Index" 39 accesskey="I">index</a> | 40 <a href="../search.html" title="Enter search criteria" 41 accesskey="S">Search</a> | 42 <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Client preauthentication interface (clpreauth)">feedback</a> 43 </div> 44 </div> 45 </div> 46 47 <div class="content-wrapper"> 48 <div class="content"> 49 <div class="document"> 50 51 <div class="documentwrapper"> 52 <div class="bodywrapper"> 53 <div class="body" role="main"> 54 55 <section id="client-preauthentication-interface-clpreauth"> 56<h1>Client preauthentication interface (clpreauth)<a class="headerlink" href="#client-preauthentication-interface-clpreauth" title="Permalink to this headline">¶</a></h1> 57<p>During an initial ticket request, a KDC may ask a client to prove its 58knowledge of the password before issuing an encrypted ticket, or to 59use credentials other than a password. This process is called 60preauthentication, and is described in <span class="target" id="index-0"></span><a class="rfc reference external" href="https://tools.ietf.org/html/rfc4120.html"><strong>RFC 4120</strong></a> and <span class="target" id="index-1"></span><a class="rfc reference external" href="https://tools.ietf.org/html/rfc6113.html"><strong>RFC 6113</strong></a>. 61The clpreauth interface allows the addition of client support for 62preauthentication mechanisms beyond those included in the core MIT 63krb5 code base. For a detailed description of the clpreauth 64interface, see the header file <code class="docutils literal notranslate"><span class="pre"><krb5/clpreauth_plugin.h></span></code> (or 65<code class="docutils literal notranslate"><span class="pre"><krb5/preauth_plugin.h></span></code> before release 1.12).</p> 66<p>A clpreauth module is generally responsible for:</p> 67<ul class="simple"> 68<li><p>Supplying a list of preauth type numbers used by the module in the 69<strong>pa_type_list</strong> field of the vtable structure.</p></li> 70<li><p>Indicating what kind of preauthentication mechanism it implements, 71with the <strong>flags</strong> method. In the most common case, this method 72just returns <code class="docutils literal notranslate"><span class="pre">PA_REAL</span></code>, indicating that it implements a normal 73preauthentication type.</p></li> 74<li><p>Examining the padata information included in a PREAUTH_REQUIRED or 75MORE_PREAUTH_DATA_REQUIRED error and producing padata values for the 76next AS request. This is done with the <strong>process</strong> method.</p></li> 77<li><p>Examining the padata information included in a successful ticket 78reply, possibly verifying the KDC identity and computing a reply 79key. This is also done with the <strong>process</strong> method.</p></li> 80<li><p>For preauthentication types which support it, recovering from errors 81by examining the error data from the KDC and producing a padata 82value for another AS request. This is done with the <strong>tryagain</strong> 83method.</p></li> 84<li><p>Receiving option information (supplied by <code class="docutils literal notranslate"><span class="pre">kinit</span> <span class="pre">-X</span></code> or by an 85application), with the <strong>gic_opts</strong> method.</p></li> 86</ul> 87<p>A clpreauth module can create and destroy per-library-context and 88per-request state objects by implementing the <strong>init</strong>, <strong>fini</strong>, 89<strong>request_init</strong>, and <strong>request_fini</strong> methods. Per-context state 90objects have the type krb5_clpreauth_moddata, and per-request state 91objects have the type krb5_clpreauth_modreq. These are abstract 92pointer types; a module should typically cast these to internal 93types for the state objects.</p> 94<p>The <strong>process</strong> and <strong>tryagain</strong> methods have access to a callback 95function and handle (called a “rock”) which can be used to get 96additional information about the current request, including the 97expected enctype of the AS reply, the FAST armor key, and the client 98long-term key (prompting for the user password if necessary). A 99callback can also be used to replace the AS reply key if the 100preauthentication mechanism computes one.</p> 101</section> 102 103 104 <div class="clearer"></div> 105 </div> 106 </div> 107 </div> 108 </div> 109 <div class="sidebar"> 110 111 <h2>On this page</h2> 112 <ul> 113<li><a class="reference internal" href="#">Client preauthentication interface (clpreauth)</a></li> 114</ul> 115 116 <br/> 117 <h2>Table of contents</h2> 118 <ul class="current"> 119<li class="toctree-l1"><a class="reference internal" href="../user/index.html">For users</a></li> 120<li class="toctree-l1"><a class="reference internal" href="../admin/index.html">For administrators</a></li> 121<li class="toctree-l1"><a class="reference internal" href="../appdev/index.html">For application developers</a></li> 122<li class="toctree-l1 current"><a class="reference internal" href="index.html">For plugin module developers</a><ul class="current"> 123<li class="toctree-l2"><a class="reference internal" href="general.html">General plugin concepts</a></li> 124<li class="toctree-l2 current"><a class="current reference internal" href="#">Client preauthentication interface (clpreauth)</a></li> 125<li class="toctree-l2"><a class="reference internal" href="kdcpreauth.html">KDC preauthentication interface (kdcpreauth)</a></li> 126<li class="toctree-l2"><a class="reference internal" href="ccselect.html">Credential cache selection interface (ccselect)</a></li> 127<li class="toctree-l2"><a class="reference internal" href="pwqual.html">Password quality interface (pwqual)</a></li> 128<li class="toctree-l2"><a class="reference internal" href="kadm5_hook.html">KADM5 hook interface (kadm5_hook)</a></li> 129<li class="toctree-l2"><a class="reference internal" href="kadm5_auth.html">kadmin authorization interface (kadm5_auth)</a></li> 130<li class="toctree-l2"><a class="reference internal" href="hostrealm.html">Host-to-realm interface (hostrealm)</a></li> 131<li class="toctree-l2"><a class="reference internal" href="localauth.html">Local authorization interface (localauth)</a></li> 132<li class="toctree-l2"><a class="reference internal" href="locate.html">Server location interface (locate)</a></li> 133<li class="toctree-l2"><a class="reference internal" href="profile.html">Configuration interface (profile)</a></li> 134<li class="toctree-l2"><a class="reference internal" href="gssapi.html">GSSAPI mechanism interface</a></li> 135<li class="toctree-l2"><a class="reference internal" href="internal.html">Internal pluggable interfaces</a></li> 136<li class="toctree-l2"><a class="reference internal" href="certauth.html">PKINIT certificate authorization interface (certauth)</a></li> 137<li class="toctree-l2"><a class="reference internal" href="kdcpolicy.html">KDC policy interface (kdcpolicy)</a></li> 138</ul> 139</li> 140<li class="toctree-l1"><a class="reference internal" href="../build/index.html">Building Kerberos V5</a></li> 141<li class="toctree-l1"><a class="reference internal" href="../basic/index.html">Kerberos V5 concepts</a></li> 142<li class="toctree-l1"><a class="reference internal" href="../formats/index.html">Protocols and file formats</a></li> 143<li class="toctree-l1"><a class="reference internal" href="../mitK5features.html">MIT Kerberos features</a></li> 144<li class="toctree-l1"><a class="reference internal" href="../build_this.html">How to build this documentation from the source</a></li> 145<li class="toctree-l1"><a class="reference internal" href="../about.html">Contributing to the MIT Kerberos Documentation</a></li> 146<li class="toctree-l1"><a class="reference internal" href="../resources.html">Resources</a></li> 147</ul> 148 149 <br/> 150 <h4><a href="../index.html">Full Table of Contents</a></h4> 151 <h4>Search</h4> 152 <form class="search" action="../search.html" method="get"> 153 <input type="text" name="q" size="18" /> 154 <input type="submit" value="Go" /> 155 <input type="hidden" name="check_keywords" value="yes" /> 156 <input type="hidden" name="area" value="default" /> 157 </form> 158 159 </div> 160 <div class="clearer"></div> 161 </div> 162 </div> 163 164 <div class="footer-wrapper"> 165 <div class="footer" > 166 <div class="right" ><i>Release: 1.21.3</i><br /> 167 © <a href="../copyright.html">Copyright</a> 1985-2024, MIT. 168 </div> 169 <div class="left"> 170 171 <a href="../index.html" title="Full Table of Contents" 172 >Contents</a> | 173 <a href="general.html" title="General plugin concepts" 174 >previous</a> | 175 <a href="kdcpreauth.html" title="KDC preauthentication interface (kdcpreauth)" 176 >next</a> | 177 <a href="../genindex.html" title="General Index" 178 >index</a> | 179 <a href="../search.html" title="Enter search criteria" 180 >Search</a> | 181 <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Client preauthentication interface (clpreauth)">feedback</a> 182 </div> 183 </div> 184 </div> 185 186 </body> 187</html>