prompter type question

Nicolas Williams Nicolas.Williams at
Thu Mar 18 14:49:43 EDT 2010

On Thu, Mar 18, 2010 at 01:17:37PM -0500, Will Fiveash wrote:
> typedef struct _krb5_prompt {
>     char *prompt;
>     int hidden;
>     krb5_data *reply;
> } krb5_prompt;

Arguably a PREAUTH type prompt with hidden set would be a prompt for a
PIN or OTP, while a PREAUTH type prompt with hidden unset would be an
informative prompt of some kind (any kind).

I strongly suspect that the prompt types thing was added to facilitate
writing PAM modules that use krb5_get_init_creds*().  But I have no
proof of this.  IIRC this was already there when I first needed it back
in 2001 (at my then employer we hacked on Frank Cusak's pam_krb5
extensively and made use of prompt types).

> Given this, can I assume that KRB5_PROMPT_TYPE_PREAUTH is indicating the
> reply data is a PIN?  If that is the case then I should not be setting

Only if hidden is true.  Otherwise it could be an informative prompt.

> the prompt_type to KRB5_PROMPT_TYPE_PREAUTH when prompting the user to
> insert their smart card as this prompt is only looking for the user to
> hit Enter once they've inserted their card (there will be another prompt
> for the user's PIN once the pkinit plugin has found an appropriate
> token).

No, you should be setting KRB5_PROMPT_TYPE_PREAUTH but also hidden == 0.

> In general I think the KRB5_PROMPT_TYPE_PREAUTH prompt type is ambiguous
> and I agree with Nico that the set of prompt_type defines needs to be
> expanded to better identify the types of prompt replies. 
> Thoughts?

I agree with myself too :)  We need a fuller set of prompt type
definitions to cover the needs of all the pre-auth modules that exist
now, and when new modules are added or when new prompts are added to
existing modules we should add new prompt types as necessary.


More information about the krbdev mailing list