Dynamic deployment of new preauth plugin for client and kdc
I'm developing a new preauth mechanism like otp based on FAST tunnel, and wish it's possible to deploy my new plugin module by just dropping the so file into place like /usr/local/lib/krb5/plugins/preauth/ just as existing plugin modules do, like otp.so and pkinit.so. However, I found it's not enough, and also have to modify the following places to register a new entry for the plugin:
Should this be true or anything I'm getting wrong? Should I have to modify the main programs (kinit & kdc) other than coming up my new preauth plugin? If so I would contribute and provide a patch to make it true. By configuration, we would allow client and kdc both scan the preauth plugin folder to get and load all pre-configured plugin modules. Thus when new plugin is out, only configuration is needed to update to deploy it.
Re: Dynamic deployment of new preauth plugin for client and kdc
On 05/27/2014 09:26 AM, drankye wrote:
> I'm developing a new preauth mechanism like otp based on FAST tunnel, and
> wish it's possible to deploy my new plugin module by just dropping the so
> file into place
This isn't possible with most currently pluggable interfaces;
third-party modules need to be registered in the profile. See:
(The example there probably shouldn't use "otp", since we now ship an
effectively built-in otp clpreauth module.)
Older pluggable interfaces--the only current public example is the
"locate" interface--did allow modules to simply be dropped into place.
We received feedback from downstream distributors that this was
undesirable; it made it impossible (or at least awkward) to have the
binary package for a module installed but have the module disabled.