Proposal: krb5_get_init_creds_opt_set_change_password_prompt

Kevin Coffman kwc at
Thu Nov 16 17:08:33 EST 2006

On 11/15/06, Sam Hartman <hartmans at> wrote:
> Jeff, the get_init_creds_options structure is exposed in the ABI.
> We do need a way of extending that structure for preauth plugin
> options, and if we can get it for 1.6 we want it.  But it needs to be
> more complicated than what you provide.
> My best guess is that we provide a new allocator function and a way of
> detecting wether the caller has used this new allocate function or
> not.
> I'd like to find a simpler solution than that.
> Other than the ABI problem, your proposal looks reasonable.
> --Sam

I've been thinking about this as related to pkinit, but haven't
followed it all the way through.  I'm looking for confirmation whether
this idea has potential.

Could we do like Heimdal has done and add an "opt_private" pointer to
the krb5_get_init_creds_opt structure. krb5_get_init_creds_opt_init()
would set a new flag which indicates that the opt_private pointer is
invalid.  We can reset that flag when a (new) call is made that causes
the allocation of the opt_private structure.  (I'm unclear whether we
need a refcount in this opt_private structure as Heimdal has.)


More information about the krbdev mailing list