Nuances of MIT Kerberos prompting

Greg Hudson ghudson at mit.edu
Mon Mar 9 01:02:56 EDT 2020


On 3/8/20 8:01 PM, Russ Allbery wrote:
> I think the reason why I am confused by this is that Heimdal uses the
> prompter to pass along informational messages such as "your principal is
> about to expire," and I wasn't sure how MIT Kerberos would do the same
> thing with the responder interface.  But maybe it doesn't present those
> messages, or uses the prompter for them even if a responder is provided
> and answers the actual questions?

In MIT krb5 you can set an expire callback
(krb5_get_init_creds_opt_set_expire_callback()); otherwise the prompter
is used if present, whether or not a responder is provided.

[Regarding the double prompt:]
> Here's the trace output, but it's not very useful since it seems to end
> after the authentication and doesn't include the verify attempt.

Yeah, I don't see an explanation there.  A PKINIT PKCS12 prompter call
should be preceded by a "PKINIT initial PKCS12_parse with no password
failed" message.  There are two such trace messages, but the first comes
during prep_questions(), when prompting is deferred (instead, the
identity is saved and a question for the responder is generated).


More information about the Kerberos mailing list