Conditional prompting with PKINIT preauth
Greg Hudson
ghudson at MIT.EDU
Mon May 27 16:51:55 EDT 2013
In the prompter, you can call krb5_get_prompt_types() to get an array of
types for each prompt. (It may return NULL in some cases.) If the
prompt type is KRB5_PROMPT_TYPE_PASSWORD, then you know you're being
asked for the password. This should allow you to (1) disable password
prompting when use_pkinit is set, and (2) store the password when
try_pkinit is set and the library falls back. Is this sufficient?
More generally, I'm not sure the pam_krb5 module ought to be driving the
decision to use PKINIT. For Heimdal it may be necessary to make PKINIT
go at all, but MIT krb5 tries to control preauthentication from within
libkrb5 and the KDC, so that new mechanisms can be added via loadable
modules.
That said, we do have this in 1.11:
http://web.mit.edu/kerberos/krb5-latest/doc/appdev/init_creds.html#responder-callback
(See also http://k5wiki.kerberos.org/wiki/Projects/Responder) However,
it won't be integrated properly with PKINIT until 1.12.
More information about the Kerberos
mailing list