Proposal: krb5_get_init_creds_opt_set_change_password_prompt
Jeffrey Altman
jaltman at secure-endpoints.com
Thu Dec 7 13:27:22 EST 2006
Kevin Coffman wrote:
> On 12/7/06, Sam Hartman <hartmans at mit.edu> wrote:
>> Wait, why does krb5_get_init_creds_opt_set_pa take things like a
>> password and principal and etc. I don't understand why it takes more
>> than a patype, attribute and value?
>
> Because they were needed to emulate
> krb5_get_init_creds_opt_set_pkinit() which looks like:
>
> krb5_error_code KRB5_LIB_FUNCTION
> krb5_get_init_creds_opt_set_pkinit(krb5_context context,
> krb5_get_init_creds_opt *opt,
> krb5_principal principal,
> const char *user_id,
> const char *x509_anchors,
> char * const * pool,
> char * const * pki_revoke,
> int flags,
> krb5_prompter_fct prompter,
> void *prompter_data,
> char *password);
>
> I assumed that the plugin may have to prompt for the PIN. I think
> Heimdal allows getting a password from a file.
I would think that each of those items would become attributes.
krb5_get_init_creds_opt_set_pkinit() would make multiple calls
to krb5_get_init_creds_opt_set_pa() with each of the required
attribute/value pairs.
Jeffrey Altman
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3355 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/krbdev/attachments/20061207/c96f2872/attachment.bin
More information about the krbdev
mailing list