Proposal: krb5_get_init_creds_opt_set_change_password_prompt
Kevin Coffman
kwc at citi.umich.edu
Thu Dec 7 13:26:58 EST 2006
On 12/7/06, Kevin Coffman <kwc at citi.umich.edu> wrote:
> On 12/7/06, Sam Hartman <hartmans at mit.edu> wrote:
> > Wait, why does krb5_get_init_creds_opt_set_pa take things like a
> > password and principal and etc. I don't understand why it takes more
> > than a patype, attribute and value?
>
> Because they were needed to emulate
> krb5_get_init_creds_opt_set_pkinit() which looks like:
>
> krb5_error_code KRB5_LIB_FUNCTION
> krb5_get_init_creds_opt_set_pkinit(krb5_context context,
> krb5_get_init_creds_opt *opt,
> krb5_principal principal,
> const char *user_id,
> const char *x509_anchors,
> char * const * pool,
> char * const * pki_revoke,
> int flags,
> krb5_prompter_fct prompter,
> void *prompter_data,
> char *password);
>
> I assumed that the plugin may have to prompt for the PIN. I think
> Heimdal allows getting a password from a file.
Right, so krb5_get_init_creds_opt_set_pkinit() can be emulated w/o
having all these extras in the krb5_get_init_creds_opt_set_pa()
function. The question is whether the plugin may need/want to prompt
for a pin (or for a password to open a PKCS12 file) while validating
these things.
More information about the krbdev
mailing list