prompter type question
will.fiveash at oracle.com
Tue Mar 16 16:25:18 EDT 2010
On Tue, Mar 16, 2010 at 03:10:14PM -0500, Nicolas Williams wrote:
> On Tue, Mar 16, 2010 at 02:09:49PM -0500, Will Fiveash wrote:
> > I'm looking at modifying the pkinit preauth plugin to prompt the user to
> > insert their token and press Enter if the code doesn't find a token.
> > While making this mod I came across these defines in krb5.h:
> > /*
> > * Prompter enhancements
> > */
> > #define KRB5_PROMPT_TYPE_PASSWORD 0x1
> > #define KRB5_PROMPT_TYPE_NEW_PASSWORD 0x2
> > #define KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN 0x3
> > #define KRB5_PROMPT_TYPE_PREAUTH 0x4
> > My question; what is the proper prompt type for the prompt I'm creating
> > (a reminder prompt that isn't asking for a PIN or password)?
> IMO yours is a distinct prompt type.
> KRB5_PROMPT_TYPE_PREAUTH should be used for such things as impending
> password expiry warnings, as well as error messages.
It appears to be set when the pkinit plugin prompts for a PIN.
> A specific prompt type should generally be required any time the user
> has to take action in response to a prompt in order to proceed:
> - password
> - new password
> - new password again
> - challenge/response
> - OTP
> - OTP sync
> - PIN
> - "insert smartcard if you have one"
> - biometrics
> That's probably a reasonably complete set.
So the current set of prompt type defines should be expanded to map to
the set you describe above?
More information about the krbdev