pkinit debugging

[Jeffrey Altman]

Kevin Coffman wrote:
> We currently use printf to print debugging information.  It is enabled
> by compiling with -DDEBUG.  Without this defined, if something goes
> wrong with pkinit you get get a password prompt with no clue on what
> went wrong with pkinit.
> 
> I'd like to propose a new runtime option to enable the debugging
> messages to be printed somewhere so that problems can be diagnosed
> without the need to re-compile with -DDEBUG.
> 
> I was thinking about something like "-X debug[= [stdout | stderr |
> <filename> ]]".  There could also be a debugging level option if that
> seems desirable.  By sending debug output to a file, non-interactive
> logins from pam could also be debugged.
> 
> Any suggestions?
> 
> K.C.

Kevin:

On Windows I would like to see an option for sending debug output using
the OutputDebugString API.

Network Identity Manager has its own log which is used to collect the
events that are occurring as part of the credential acquisition.  It
would be nice if NIM could collect debugging data from the
get_init_creds call in general and store it into the log.  pkinit should
support whatever that general mechanism would be.  Now that we have the
ability to extend gic opts we could add a callback function that can be
registered to receive log messages when such functionality is desired.

Thoughts?

Jeffrey Altman
Secure Endpoints Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3355 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/krbdev/attachments/20070620/eef3026f/attachment.bin