hardware preauthentication in krb5-1.3-beta4

Peter Iannarelli peteri at cryptocard.com
Mon Jul 14 12:00:59 EDT 2003


I am attempting to implement CRYPTOCARD hardware preauthentication into 
the krb5-1.3-beta4 kdc.
For the most part I have it working just fine, except for two minor issues.

firstly, when I tested with GRAIL, I am presented a challenge and I 
enter my response
and all goes well.

I added a new type to the switch statement in sam_get_edata. It's type 
as defined in k5-int.h. When I attempt to get my ticket, I am prompted 
to enter my password. After entering
a good or bad password, I am prompted with my challenge. Why am I being 
prompted to enter a password?
When using GRAIL I am not prompted to enter a password, I am simply 
presented a challenge and the response
is expected.


If I enter an invalid response, in GRAIL, I am presented the challenge 
and prompted to enter my response
again. When using PA_SAM_TYPE_CRYPTOCARD, I am not presented that second 
challenge nor prompt.
I simply get a "kinit(v5): Cannot read password while getting initial 

Please note: the CRYPTOCARD logic is the same as the GRAIL logic with 
the exception of the origin of
the challenge and response. If anyone wants to see the code, just ask

Any help would be greatly appreciated.


Peter Iannarelli

More information about the krbdev mailing list