krb5_get_init_creds*(), HW pre-auth and prompters
Nicolas.Williams at sun.com
Wed Dec 18 14:41:00 EST 2002
I've thought now for a long time that each pre-auth type should provide
its own sort of prompter that would get called before (and with) the
application provided prompter.
Thus HW pre-auth wouldn't need to prompt users at all where HW readers
are available, and where prompting is required the pre-auth code could
decide when to re-prompt for a token.
And you don't need to modify krb5_get_init_creds_keytab() to take a
prompter. Rather, pass in a prompter and get_as_key() callbacks to
krb5_get_init_creds() and let the get_as_key() callback get the keytab
key material it needs for your pre-auth. Ideally this would be hidden
from the application - see previous two paragraphs.
More information about the krbdev