Nuances of MIT Kerberos prompting
Russ Allbery
eagle at eyrie.org
Mon Mar 9 15:30:23 EDT 2020
Greg Hudson <ghudson at mit.edu> writes:
> Yes. For this prompter call, name is NULL, banner is the formatted
> expiration warning, and num_prompts is 0.
Thanks!
> Ah, two responder calls, not two prompter calls. I was looking at the
> wrong code paths.
Oh, sorry, poor bug report on my part.
> Now that I look a the PKINIT responder logic, I agree that there is a
> bug. In the second call to k5_preauth(), we are processing the KDC
> PKINIT padata supplied alongside the issued ticket, in order to
> authenticate the KDC response and set the correct reply key. PKINIT
> does not need access to client certificates at this stage, but
> pkinit_client_prep_questions() re-asks questions for its recorded
> identities without checking the padata type or any other state that
> would indicate where it is in the process. I will file a ticket.
Thanks!
> (The real reason kinit isn't affected is that it doesn't use a responder
> callback.)
Yes, that makes perfect sense in retrospect. I should have started with
gdb before speculating.
--
Russ Allbery (eagle at eyrie.org) <https://www.eyrie.org/~eagle/>
More information about the Kerberos
mailing list