prompter type question

Nicolas Williams Nicolas.Williams at
Tue Mar 16 16:10:14 EDT 2010

On Tue, Mar 16, 2010 at 02:09:49PM -0500, Will Fiveash wrote:
> I'm looking at modifying the pkinit preauth plugin to prompt the user to
> insert their token and press Enter if the code doesn't find a token.
> While making this mod I came across these defines in krb5.h:
> /*
>  * Prompter enhancements
>  */
> #define KRB5_PROMPT_TYPE_PASSWORD            0x1
> #define KRB5_PROMPT_TYPE_NEW_PASSWORD        0x2
> #define KRB5_PROMPT_TYPE_PREAUTH             0x4
> My question; what is the proper prompt type for the prompt I'm creating
> (a reminder prompt that isn't asking for a PIN or password)?

IMO yours is a distinct prompt type.

KRB5_PROMPT_TYPE_PREAUTH should be used for such things as impending
password expiry warnings, as well as error messages.  A specific prompt
type should generally be required any time the user has to take action
in response to a prompt in order to proceed:

 - password
 - new password
 - new password again
 - challenge/response
 - OTP
 - OTP sync
 - PIN
 - "insert smartcard if you have one"
 - biometrics

That's probably a reasonably complete set.


More information about the krbdev mailing list