Proposal: krb5_get_init_creds_opt_set_change_password_prompt

Kevin Coffman kwc at citi.umich.edu
Thu Dec 7 10:16:49 EST 2006 

On 12/5/06, Douglas E. Engert <deengert at anl.gov> wrote:
>
> Sam Hartman wrote:
>
> >>>>>>"Douglas" == Douglas E Engert <deengert at anl.gov> writes:
> >
> >
> >     Douglas> Kevin Coffman wrote:
> >
> >     >> Branch users/coffman/gic_opt_ext has my propoal for extending
> >     >> the get_init_creds_opt structure and making use of it to pass
> >     >> preauth options through the to preauth plugins.
> >     >>
> >     >> There is currently extra test code in kinit.c which does not
> >     >> belong.  Hopefully it is obvious.  There is currently *not* a
> >     >> compatibility function/macro to match Heimdal's
> >     >> krb5_get_init_creds_opt_set_pkinit() function.
> >
> >     Douglas> Since PAM_KRB5 is a common source routine that needs to
> >     Douglas> call krb5_get_init_creds_* it would be nice if both MIT
> >     Douglas> and Heimdal used the same API....
> >
> > As I've said before, we cannot have a pkinit-specific entry point in
> > libkrb5 for licensing reasons.
>
> Well, if MIT can get PKINIT to work, without a special
> krb5_get_init_creds_opt_*  then maybe Heimdal can too.
> I would still like to see the same API,

I've updated this branch to remove the extra 'user_id' paramter in
krb5_get_init_creds_opt_set_pa() and added an emulation function to
match Heimdal's krb5_get_init_creds_opt_set_pkinit().  Sam won't want
this function in libkrb5, but it is there for testing and proof of
concept...

It requires that we agree on attribute name equivalents to the
parameters supplied to krb5_get_init_creds_opt_set_pkinit().  I used
the following, but am open to discussion.

Love, I didn't find another use of flags besides 2 to specify using
RSA vs. DH, are there others?

  .attr = "X509_user_identity"  /* Location of user's X.509 identity
(cert/key)*/
  .attr = "X509_anchors"; /* X.509 Trust Anchors */
  .attr = "X509_chain_list";  /* Other X.509 certs for building
verification chains */
  .attr = "X509_revoke_list";  /* Location of revocation information */
  .attr = "flag_RSA_PROTOCOL";  /* Use RSA rather than DH */

More information about the krbdev mailing list