prompter type question

Will Fiveash will.fiveash at oracle.com
Thu Mar 18 14:17:37 EDT 2010 

On Thu, Mar 18, 2010 at 09:53:42AM -0400, Sam Hartman wrote:
> >>>>> "Will" == Will Fiveash <will.fiveash at oracle.com> writes:
> 
>     >> 
>     >> preauth.
> 
>     Will> What is the intention of the KRB5_PROMPT_TYPE_PREAUTH define
>     Will> and how does that differ from the KRB5_PROMPT_TYPE_PASSWORD?
>     Will> I ask because I was under the impression the
>     Will> KRB5_PROMPT_TYPE_PREAUTH type is currently being used for a
>     Will> prompt requesting a PIN.  Is it to be used for all preauth
>     Will> related prompts including the prompt I'm adding which request
>     Will> the user insert their smart card?  If that is the case then
>     Will> I'm confused as to when KRB5_PROMPT_TYPE_PASSWORD should be
>     Will> set.
> 
> 
> The main difference presumably is whether the prompter will echo the
> response.  Also, a GUI prompter could reasonably ignore the text for a
> password or new password prompt, using its own localization, etc, but
> could not do that for a preauth prompt.

The current implementation of the default prompter function in libkrb5,
krb5_prompter_posix(), does not use the prompt_type to determine whether
the user's input should be echoed or not.  Instead it is using the
hidden field in struct _krb5_prompt that is passed in to
krb5_prompter_posix():

typedef struct _krb5_prompt {
    char *prompt;
    int hidden;
    krb5_data *reply;
} krb5_prompt;

Looking at this more I do see one function that is using the
prompter_type and that is kinit_prompter().  Here is that code:

    krb5_prompt_type *types;
    krb5_error_code rc =
        krb5_prompter_posix(ctx, data, name, banner, num_prompts, prompts);

    if (!rc && (types = krb5_get_prompt_types(ctx)))
        for (i = 0; i < num_prompts; i++)
            if ((types[i] == KRB5_PROMPT_TYPE_PASSWORD) ||
            (types[i] == KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN))
            {
#ifdef KRB5_KRB4_COMPAT
            strncpy(stash_password, prompts[i].reply->data,
                sizeof(stash_password));
            got_password = 1;
#endif
            }
    return rc;

So it is using prompt_types to determine if one of the prompts was for
either a KRB5_PROMPT_TYPE_PASSWORD or
KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN and on that basis it can tell that
the reply data for that particular prompt contains a password.

Given this, can I assume that KRB5_PROMPT_TYPE_PREAUTH is indicating the
reply data is a PIN?  If that is the case then I should not be setting
the prompt_type to KRB5_PROMPT_TYPE_PREAUTH when prompting the user to
insert their smart card as this prompt is only looking for the user to
hit Enter once they've inserted their card (there will be another prompt
for the user's PIN once the pkinit plugin has found an appropriate
token).

In general I think the KRB5_PROMPT_TYPE_PREAUTH prompt type is ambiguous
and I agree with Nico that the set of prompt_type defines needs to be
expanded to better identify the types of prompt replies. 

Thoughts?

-- 
Will Fiveash
Oracle
http://opensolaris.org/os/project/kerberos/
Sent from mutt, a sweet text MUA.

More information about the krbdev mailing list