Nuances of MIT Kerberos prompting

Russ Allbery eagle at eyrie.org
Tue Mar 3 01:33:52 EST 2020 

I'm finally revisiting PKINIT prompting in pam-krb5 and am trying to wrap
my head around some subtle nuances of behavior to be sure I'm doing
reasonable things.  Thus, a few questions:

1. The normal prompter interface has a mechanism to send a "name" and a
   "banner".  Neither of these are very well-documented, but the current
   PAM module behavior is to output them both (name first, then banner) as
   PAM_TEXT_INFO.

   I don't see any equivalent in the responder API.  How does that work?
   Is the prompter called with the name and banner but an empty list of
   prompts and the responder called with the actual questions, if both are
   given?  In what order?  I naively would have expected some way to use
   the responder interface to completely replace the prompter interface,
   but that doesn't seem to be possible because name and banner aren't
   supported.

2. Revisiting this message from many years ago:

   http://mailman.mit.edu/pipermail/kerberos/2013-May/018973.html

   the suggestion for use_pkinit was to have a prompter that declined to
   respond to password questions and only passed along preauth questions.
   This would be an alternative approach to using the responder API.
   However, this prompts a question: how does a prompter decline to
   respond to a question?  Should the prompter return failure if
   KRB5_PROMPT_TYPE_PASSWORD appears anywhere in krb5_get_prompt_types,
   presumably without displaying the name or banner?  If so, what status
   code?

3. How can I trigger MIT Kerberos to send a PKINIT prompt with multiple
   identities so that I can test the code that prompts the user to select
   one?  The code seems determined to prevent me from specifying multiple
   pkinit_identities.  Only the first one in krb5.conf appears to be
   honored and any subsequent ones are ignored, and kinit doesn't allow
   X509_user_identity to be set more than once.  Do I *have* to have a
   PKCS11 module to get to that code path, and I cannot access it with
   FILE or PKCS12 identities?

Finally, more a bug report than a question, but MIT Kerberos 1.17, when
given a PKCS12 identity file that's protected with a password (which is
what I'm using to test PIN prompting) prompts for the password twice.  The
second time appears to be during the krb5_verify_init_creds call.  What's
going on here?  The user experience is a little odd.  kinit only prompts
once, but I think that's because kinit never calls krb5_verify_init_creds.

-- 
Russ Allbery (eagle at eyrie.org)             <https://www.eyrie.org/~eagle/>

More information about the Kerberos mailing list