IAKERB Starter Credentials Solution
Nico Williams
nico at cryptonector.com
Sat Apr 26 12:36:43 EDT 2025
On Sat, Apr 26, 2025 at 10:39:02AM -0400, Michael B Allen wrote:
> I'm drilling down into IAKERB right now and I had a thought ...
>
> Unlike regular Kerberos where the initiator has a ticket from the ccache
> already acquired in a separate authentication step, IAKERB needs "starter"
> credentials like a principal name and plaintext password.
>
> So how does an IAKERB initiator get the client principal name and password?
See:
- gss_acquire_cred_with_password() / gss_add_cred_with_password()
- gss_acquire_cred_from()
The problem with the above is that there is no way to interactively find
out what the user must supply, but otherwise they work. And if the only
thing the user needs besides a password is a one-time password or a
smartcard then we could have new error codes by which to indicate this
so the application can prompt for those and retry, so the lack of
interactivity is not a big deal.
OS X used to have a dialog pop-up for such things, but that did not work
well.
Rather than a callback I'd prefer to have a new major status code that
indicates that the application must call a function to extract the
prompts / supply answers, and this would use the partial security
context handle to sequence things.
Nico
--
More information about the Kerberos
mailing list