Proposal: krb5_get_init_creds_opt_set_change_password_prompt
Douglas E. Engert
deengert at anl.gov
Mon Dec 4 18:48:06 EST 2006
Kevin Coffman wrote:
> Branch users/coffman/gic_opt_ext has my propoal for extending the
> get_init_creds_opt structure and making use of it to pass preauth
> options through the to preauth plugins.
>
> There is currently extra test code in kinit.c which does not belong.
> Hopefully it is obvious. There is currently *not* a compatibility
> function/macro to match Heimdal's krb5_get_init_creds_opt_set_pkinit()
> function.
Since PAM_KRB5 is a common source routine that needs to call
krb5_get_init_creds_* it would be nice if both MIT and Heimdal
used the same API....
>
> Comments please.
>
> On 11/20/06, Jeffrey Altman <jaltman at secure-endpoints.com> wrote:
>
>>Kevin Coffman wrote:
>>
>>>The attached patch does not really do any real extensions yet, but the
>>>plumbing is here. I didn't change KFW_kinit() in
>>>src/windows/kfwlogon/kfwcommon.c because I wasn't sure how to handle
>>>this pkrb5_ stuff. (Jeffrey is this as straight-forward as the rest
>>>of the changes?)
>>
>>Don't worry about windows/cns or windows/kfwlogon. It can be updated
>>when there is a need to do so. windows/cns has not been touched in years.
>>
>>
>>>Does this look reasonable?
>>
>>I would not put assert() calls into libraries. If
>>krb5_gic_opt_is_extended() fails, the calling function should return an
>>error to the caller. We don't want to cause the application to
>>terminate unexpectedly.
>>
>>Remember to update the Windows export list: src/lib/krb5_32.def
>>
>>Other than that, looks reasonable.
>>
>>Jeffrey Altman
>
> _______________________________________________
> krbdev mailing list krbdev at mit.edu
> https://mailman.mit.edu/mailman/listinfo/krbdev
>
>
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the krbdev
mailing list