Proposal: krb5_get_init_creds_opt_set_change_password_prompt

Kevin Coffman kwc at citi.umich.edu
Mon Nov 20 08:04:03 EST 2006 

On 11/16/06, Jeffrey Altman <jaltman at secure-endpoints.com> wrote:
> Kevin Coffman wrote:
>
> As Sam pointed out, we have an initial problem in that the existing
> get_init_creds_options structure is publicly defined.  Therefore, we
> can't modify it to add the new opt_private pointer.
>
> Sam has proposed that we define a new extended
> krb5_get_init_creds_options structure that would be allocated by a
> replacement for krb5_get_init_creds_opt_init()
>
>
> krb5_error_code KRB5_CALLCONV
> krb5_get_init_creds_opt_init_new (krb5_get_init_creds_opt **opt);
>
> krb5_error_code KRB5_CALLCONV
> krb5_get_init_creds_opt_free (krb5_get_init_creds_opt *opt);
>
> The krb5_get_init_creds_opt_init_new() call would allocate a
> private structure whose initial fields match those of the public
> krb5_get_init_creds_opt structure.  A special flag value would
> be allocated to indicate that the structure was allocated by
> krb5_get_init_creds_opt_new().
>
> #define KRB5_GET_INIT_CREDS_OPT_RESERVED 0x8000
>
> krb5_get_init_creds_opt_init() must not be called after
> krb5_get_init_creds_opt_init_new().
>
> krb5_get_init_creds_opt_free() would only free the structure if the
> KRB5_GET_INIT_CREDS_OPT_RESERVED flag bit is set.
>
> Once this is done it would be possible to extend the private structure
> with as many fields are required.  The shape of the structure could be
> determined based upon the number and types of pre-auth plugins that have
> been loaded provided that the plug-ins provide a method of querying for
> their requirements.
>
> Jeffrey Altman

If we cannot change the krb5_get_init_creds_opt structure, as Heimdal
has done, it seems to me there are two approaches.  I started down one
road, but am looking for opinions before going any further.

1) krb5_get_init_creds_opt_init_alloc() returns a pointer to this new
extended structure cast as a pointer to krb5_get_init_creds_opt.
We'll deal internally with casting it back to the extended structure
as needed/appropriate.

2) krb5_get_init_creds_opt_init_alloc() returns a handle to the new
extended structure, not a pointer to krb5_get_init_creds_opt.  This
requires either a series of wrapper functions that take a pointer to
this new structure, or a public conversion function which takes a
pointer to the new structure and returns a krb5_get_init_creds_opt
pointer to be used in all the existing functions.  This breaks API
compatibility with Heimdal.

K.C.

More information about the krbdev mailing list