krb5_get_init_creds*(), HW pre-auth and prompters

Nicolas Williams Nicolas.Williams at
Wed Dec 18 14:41:00 EST 2002

I've thought now for a long time that each pre-auth type should provide
its own sort of prompter that would get called before (and with) the
application provided prompter.

Thus HW pre-auth wouldn't need to prompt users at all where HW readers
are available, and where prompting is required the pre-auth code could
decide when to re-prompt for a token.

And you don't need to modify krb5_get_init_creds_keytab() to take a
prompter.  Rather, pass in a prompter and get_as_key() callbacks to
krb5_get_init_creds() and let the get_as_key() callback get the keytab
key material it needs for your pre-auth.  Ideally this would be hidden
from the application - see previous two paragraphs.



More information about the krbdev mailing list