Nuances of MIT Kerberos prompting
Greg Hudson
ghudson at mit.edu
Mon Mar 9 15:20:28 EDT 2020
On 3/9/20 1:32 AM, Russ Allbery wrote:
>> In MIT krb5 you can set an expire callback
>> (krb5_get_init_creds_opt_set_expire_callback()); otherwise the prompter
>> is used if present, whether or not a responder is provided.
>
> Oh! Okay, that makes sense. In this case, the prompter is called with
> just a banner but no question?
Yes. For this prompter call, name is NULL, banner is the formatted
expiration warning, and num_prompts is 0.
> The relevant difference seems to be in frame 4 and frame 5. Source
> embedded from the krb5-1.17-final tag. In both cases, k5_preauth then
> calls the responder.
Ah, two responder calls, not two prompter calls. I was looking at the
wrong code paths.
Now that I look a the PKINIT responder logic, I agree that there is a
bug. In the second call to k5_preauth(), we are processing the KDC
PKINIT padata supplied alongside the issued ticket, in order to
authenticate the KDC response and set the correct reply key. PKINIT
does not need access to client certificates at this stage, but
pkinit_client_prep_questions() re-asks questions for its recorded
identities without checking the padata type or any other state that
would indicate where it is in the process. I will file a ticket.
(The real reason kinit isn't affected is that it doesn't use a responder
callback.)
More information about the Kerberos
mailing list