prompter type question
Nicolas Williams
Nicolas.Williams at sun.com
Tue Mar 16 16:10:14 EDT 2010
On Tue, Mar 16, 2010 at 02:09:49PM -0500, Will Fiveash wrote:
> I'm looking at modifying the pkinit preauth plugin to prompt the user to
> insert their token and press Enter if the code doesn't find a token.
> While making this mod I came across these defines in krb5.h:
>
> /*
> * Prompter enhancements
> */
>
> #define KRB5_PROMPT_TYPE_PASSWORD 0x1
> #define KRB5_PROMPT_TYPE_NEW_PASSWORD 0x2
> #define KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN 0x3
> #define KRB5_PROMPT_TYPE_PREAUTH 0x4
>
> My question; what is the proper prompt type for the prompt I'm creating
> (a reminder prompt that isn't asking for a PIN or password)?
IMO yours is a distinct prompt type.
KRB5_PROMPT_TYPE_PREAUTH should be used for such things as impending
password expiry warnings, as well as error messages. A specific prompt
type should generally be required any time the user has to take action
in response to a prompt in order to proceed:
- password
- new password
- new password again
- challenge/response
- OTP
- OTP sync
- PIN
- "insert smartcard if you have one"
- biometrics
That's probably a reasonably complete set.
Nico
--
More information about the krbdev
mailing list