Dynamic deployment of new preauth plugin for client and kdc

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Dynamic deployment of new preauth plugin for client and kdc

drankye
I'm developing a new preauth mechanism like otp based on FAST tunnel, and wish it's possible to deploy my new plugin module by just dropping the so file into place like /usr/local/lib/krb5/plugins/preauth/ just as existing plugin modules do, like otp.so and pkinit.so. However, I found it's not enough, and also have to modify the following places to register a new entry for the plugin:

In preauth2.c:k5_init_preauth_context(krb5_context context),
...
    k5_plugin_register_dyn(context, PLUGIN_INTERFACE_CLPREAUTH, "pkinit",
                           "preauth");
    k5_plugin_register(context, PLUGIN_INTERFACE_CLPREAUTH, "otp",
                       clpreauth_otp_initvt);
...

In kdc_preauth.c:get_plugin_vtables(),
...
    k5_plugin_register_dyn(context, PLUGIN_INTERFACE_KDCPREAUTH, "pkinit",
                           "preauth");
    k5_plugin_register_dyn(context, PLUGIN_INTERFACE_KDCPREAUTH, "otp",
                           "preauth");
...

Should this be true or anything I'm getting wrong? Should I have to modify the main programs (kinit & kdc) other than coming up my new preauth plugin? If so I would contribute and provide a patch to make it true. By configuration, we would allow client and kdc both scan the preauth plugin folder to get and load all pre-configured plugin modules. Thus when new plugin is out, only configuration is needed to update to deploy it.

Thanks for your correction and suggestion.

Regards,
Kai
Reply | Threaded
Open this post in threaded view
|

Re: Dynamic deployment of new preauth plugin for client and kdc

Greg Hudson
On 05/27/2014 09:26 AM, drankye wrote:
> I'm developing a new preauth mechanism like otp based on FAST tunnel, and
> wish it's possible to deploy my new plugin module by just dropping the so
> file into place

This isn't possible with most currently pluggable interfaces;
third-party modules need to be registered in the profile.  See:


http://web.mit.edu/kerberos/krb5-latest/doc/admin/host_config.html#plugin-config

(The example there probably shouldn't use "otp", since we now ship an
effectively built-in otp clpreauth module.)

Older pluggable interfaces--the only current public example is the
"locate" interface--did allow modules to simply be dropped into place.
We received feedback from downstream distributors that this was
undesirable; it made it impossible (or at least awkward) to have the
binary package for a module installed but have the module disabled.

See also this thread:

    http://mailman.mit.edu/pipermail/krbdev/2010-July/009171.html
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: Dynamic deployment of new preauth plugin for client and kdc

drankye
Thank you Greg for your quick and relevant information! It's very helpful.

Yes I will look at how to deploy and register my new preauth plugin via profile configuration, trying to avoid any modifying of the main programs.