IAKERB Starter Credentials Solution
Ken Hornstein
kenh at cmf.nrl.navy.mil
Sat Apr 26 18:22:01 EDT 2025
>On Sat, Apr 26, 2025 at 03:33:10PM -0400, Michael B Allen wrote:
>> Yeah, when trying to do iakerb_gss_init_sec_context and there's no TGT (or
>> Ticket), then just returning an error is reasonable.
>>
>> Applications would have to add new code to set a callback or catch an error
>> so neither way is going to be transparent.
>
>Putting up a dialog like OS X used to do is doable, but nowdays
>considered a bad UX by Apple and others. I've never seen that in action
>so I can't speak from experienced.
Just FYI, Apple's Security framework will put up a PIN prompt dialog if you
try to use a key on a smartcard that needs unlocked. It's possible to
feed a PIN to the card via the Security framework (so, for instance,
you could require the application to ask for the PIN), but this is almost
completely undocumented and only works if you're working with the smartcard
directly; I don't know how you would do it if you were doing IAKERB via
the GSSAPI.
I'm not sure how else one is supposed to unlock a smartcard; I can
understand the concerns about it being poor UX, but for those of us
who use smartcards daily this is the standard interface across a number
of platforms and I don't know what the alternative would be.
--Ken
More information about the Kerberos
mailing list