Proposed krb5_get_init_creds_opt_set_pa

Kevin Coffman kwc at citi.umich.edu
Fri Dec 8 15:51:09 EST 2006 

On 12/7/06, Sam Hartman <hartmans at mit.edu> wrote:
> At least initially I'd vote to keep things simple and if people are
> happy with the names Kevin proposed, use them.  We can work on
> registration rules with the initial understanding that MIT and Heimdal
> implementers will be able to get FCFS registrations until something
> more formal is worked out.

I've updated my branch to implement the simplified interface for
krb5_get_init_creds_set_pa()  (See below.)

I left in the heimdal compatibility function,
krb5_get_init_creds_opt_set_pkinit(), for now.

I also updated kinit to take -X options (for lack of a better idea)
and pass them along as preauth options as in Doug's suggestion.

So I am able to enter:
kinit -X X509_user_identity=/tmp/x509up_u20010,/tmp/x509up_u20010 \
    -X X509_anchors=/etc/grid-security/certificates  kwc at REALM

Note that this branch also includes the code to extend the
get_init_creds_opt structure.

----------------------------------------------------------------------------------------------------

/* Generic preauth option attribute/value pairs */
typedef struct _krb5_gic_opt_pa_data {
    char *attr;
    char *value;
} krb5_gic_opt_pa_data;

/*
 * This function allows the caller to supply options to preauth
 * plugins.  Preauth plugin modules are given a chance to look
 * at each option at the time this function is called in ordre
 * to check the validity of the option.
 * The 'opt' pointer supplied to this function must have been
 * obtained using krb5_get_init_creds_opt_alloc()
 */
krb5_error_code KRB5_CALLCONV
krb5_get_init_creds_opt_set_pa
                (krb5_context context,
                krb5_get_init_creds_opt *opt,
                const char *attr,
                const char *value);

/*
 * This function allows a preauth plugin to obtain preauth
 * options.  The preauth_data returned from this function
 * should be freed by calling krb5_get_init_creds_opt_free_pa().
 *
 * The 'opt' pointer supplied to this function must have been
 * obtained using krb5_get_init_creds_opt_alloc()
 */
krb5_error_code KRB5_CALLCONV
krb5_get_init_creds_opt_get_pa
                (krb5_context context,
                krb5_get_init_creds_opt *opt,
                int *num_preauth_data,
                krb5_gic_opt_pa_data **preauth_data);

/*
 * This function frees the preauth_data that was returned by
 * krb5_get_init_creds_opt_get_pa().
 */
void KRB5_CALLCONV
krb5_get_init_creds_opt_free_pa
                (krb5_context context,
                 int num_preauth_data,
                 krb5_gic_opt_pa_data *preauth_data);

More information about the krbdev mailing list