API for setting preauth get_init_creds_options
kwc at citi.umich.edu
Tue Nov 21 10:43:55 EST 2006
On 10/17/06, Sam Hartman <hartmans at mit.edu> wrote:
> I think we should perhaps move the API discussion to krbdev and so I'm
> adding that list.
> I think the requirements are:
> 1) The API in libkrb5 must not be pkinit specific.
> So I'm thinking of something like a get_init_creds_opt_set_pa which
> takes a patype, integer|string and value.
> 2) Easy compatibility with Heimdal. So, for example, you'd like to be able
> to have a #define for the Heimdal functions or at least export similar
> 3) Minimize backend specificity.
> 4) Provide an interface that can be used for gssmaggot integration.
> I think that goal 2 and 3 are in conflict. It seems likely that we
> may end up exporting some APIs that provide Heimdal compat at least
> when built against openssl.
> I would appreciate advice on how we can move forward here.
I'm hoping to renew this conversation and get advice.
This is heimdal's interface:
krb5_get_init_creds_opt * /*opt*/,
const char * /*user_id*/,
const char * /*x509_anchors*/,
char * const * /*pool*/,
char * const * /*pki_revoke*/,
void * /*prompter_data*/,
char * /*password*/);
Taking Sam's initial suggestion, here is what I came up with:
const char *user_id,
const char *password,
const char *attr,
const char *value)
Should "attr" and "value" be an array of attr/value pairs so we could
accomplish setting several values like "x509_anchors", "pool",
"pki_revoke" in one call?
How should these be passed from the command line for kinit?
BTW, for the plugins to make use of the krb5_get_init_creds_opt, they
would have to know about the new extended structure, which I think is
More information about the krbdev