issue with krb5_prompter_posix() design

Will Fiveash will.fiveash at
Thu Apr 15 16:23:14 EDT 2010

While debugging some memory leaks relating to my pam_krb5 pkinit work I
noticed a discrepancy between the libkrb krb5_prompter_posix() which
requires callers to allocate the reply data buffer and standard PAM
conversation functions which allocate the reply data buffer and expect
the consumer of the reply data to free() it.  Here is a description from
the Solaris Security for Developers Guide on how to write a proper PAM
conversation function:

Seems to me the PAM approach is better since it's acquiring the reply.
Anyway this is adding complication to the prompter bridge function I
wrote in pam_krb5 to allow preauth plug-ins like pkinit to prompt via a
PAM conversation function.
Will Fiveash
Note my new work e-mail address: will.fiveash at
Sent using mutt, a sweet text based e-mail app:

More information about the krbdev mailing list