Nuances of MIT Kerberos prompting
Greg Hudson
ghudson at mit.edu
Mon Mar 9 01:02:56 EDT 2020
On 3/8/20 8:01 PM, Russ Allbery wrote:
> I think the reason why I am confused by this is that Heimdal uses the
> prompter to pass along informational messages such as "your principal is
> about to expire," and I wasn't sure how MIT Kerberos would do the same
> thing with the responder interface. But maybe it doesn't present those
> messages, or uses the prompter for them even if a responder is provided
> and answers the actual questions?
In MIT krb5 you can set an expire callback
(krb5_get_init_creds_opt_set_expire_callback()); otherwise the prompter
is used if present, whether or not a responder is provided.
[Regarding the double prompt:]
> Here's the trace output, but it's not very useful since it seems to end
> after the authentication and doesn't include the verify attempt.
Yeah, I don't see an explanation there. A PKINIT PKCS12 prompter call
should be preceded by a "PKINIT initial PKCS12_parse with no password
failed" message. There are two such trace messages, but the first comes
during prep_questions(), when prompting is deferred (instead, the
identity is saved and a question for the responder is generated).
More information about the Kerberos
mailing list