Proposal: krb5_get_init_creds_opt_set_change_password_prompt

Kevin Coffman kwc at
Thu Dec 7 13:26:58 EST 2006

On 12/7/06, Kevin Coffman <kwc at> wrote:
> On 12/7/06, Sam Hartman <hartmans at> wrote:
> > Wait, why does krb5_get_init_creds_opt_set_pa take things like a
> > password and principal and etc.  I don't understand why it takes more
> > than a patype, attribute and value?
> Because they were needed to emulate
> krb5_get_init_creds_opt_set_pkinit() which looks like:
> krb5_error_code KRB5_LIB_FUNCTION
> krb5_get_init_creds_opt_set_pkinit(krb5_context context,
>                                    krb5_get_init_creds_opt *opt,
>                                    krb5_principal principal,
>                                    const char *user_id,
>                                    const char *x509_anchors,
>                                    char * const * pool,
>                                    char * const * pki_revoke,
>                                    int flags,
>                                    krb5_prompter_fct prompter,
>                                    void *prompter_data,
>                                    char *password);
> I assumed that the plugin may have to prompt for the PIN.  I think
> Heimdal allows getting a password from a file.

Right, so krb5_get_init_creds_opt_set_pkinit() can be emulated w/o
having all these extras in the krb5_get_init_creds_opt_set_pa()
function.  The question is whether the plugin may need/want to prompt
for a pin (or for a password to open a PKCS12 file) while validating
these things.

More information about the krbdev mailing list