From 76856efb87d7b11fd5d05680e25b41a58c0e06c7 Mon Sep 17 00:00:00 2001 From: Michael Osipov Date: Wed, 25 Feb 2026 13:56:00 +0100 Subject: [PATCH] Don't load PKINIT if it was disabled in the build Commit e362c356eafb49a9d90a4f20c6668682d4f50222 added trace logging for errors loading plugin modules. For a build with PKINIT disabled, this change has the unfortunate side effect of adding many "unable to load plugin" messages to the trace log. Conditionalize auto-registering PKINIT on it being enabled in the build. [ghudson@mit.edu: added similar conditional to kdc_preauth.c; edited commit message] --- src/kdc/kdc_preauth.c | 4 +++- src/lib/krb5/krb/preauth2.c | 2 ++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/src/kdc/kdc_preauth.c b/src/kdc/kdc_preauth.c index 3752be6a46..99a7a137ab 100644 --- a/src/kdc/kdc_preauth.c +++ b/src/kdc/kdc_preauth.c @@ -126,9 +126,11 @@ get_plugin_vtables(krb5_context context, *vtables_out = NULL; *n_tables_out = *n_systems_out = 0; - /* Auto-register encrypted challenge and (if possible) pkinit. */ + /* Auto-register built-in modules. */ +#ifndef DISABLE_PKINIT k5_plugin_register_dyn(context, PLUGIN_INTERFACE_KDCPREAUTH, "pkinit", "preauth"); +#endif k5_plugin_register_dyn(context, PLUGIN_INTERFACE_KDCPREAUTH, "otp", "preauth"); k5_plugin_register_dyn(context, PLUGIN_INTERFACE_KDCPREAUTH, "spake", diff --git a/src/lib/krb5/krb/preauth2.c b/src/lib/krb5/krb/preauth2.c index b5ef6c6165..e199f50f99 100644 --- a/src/lib/krb5/krb/preauth2.c +++ b/src/lib/krb5/krb/preauth2.c @@ -130,8 +130,10 @@ k5_init_preauth_context(krb5_context context) return; /* Auto-register built-in modules. */ +#ifndef DISABLE_PKINIT k5_plugin_register_dyn(context, PLUGIN_INTERFACE_CLPREAUTH, "pkinit", "preauth"); +#endif /* not DISABLE_PKINIT */ k5_plugin_register_dyn(context, PLUGIN_INTERFACE_CLPREAUTH, "spake", "preauth"); k5_plugin_register(context, PLUGIN_INTERFACE_CLPREAUTH, -- 2.47.3