prompter type question

[Nicolas Williams]

On Thu, Mar 18, 2010 at 01:17:37PM -0500, Will Fiveash wrote:
> typedef struct _krb5_prompt {
>     char *prompt;
>     int hidden;
>     krb5_data *reply;
> } krb5_prompt;

Arguably a PREAUTH type prompt with hidden set would be a prompt for a
PIN or OTP, while a PREAUTH type prompt with hidden unset would be an
informative prompt of some kind (any kind).

I strongly suspect that the prompt types thing was added to facilitate
writing PAM modules that use krb5_get_init_creds*().  But I have no
proof of this.  IIRC this was already there when I first needed it back
in 2001 (at my then employer we hacked on Frank Cusak's pam_krb5
extensively and made use of prompt types).

> Given this, can I assume that KRB5_PROMPT_TYPE_PREAUTH is indicating the
> reply data is a PIN?  If that is the case then I should not be setting

Only if hidden is true.  Otherwise it could be an informative prompt.

> the prompt_type to KRB5_PROMPT_TYPE_PREAUTH when prompting the user to
> insert their smart card as this prompt is only looking for the user to
> hit Enter once they've inserted their card (there will be another prompt
> for the user's PIN once the pkinit plugin has found an appropriate
> token).

No, you should be setting KRB5_PROMPT_TYPE_PREAUTH but also hidden == 0.

> In general I think the KRB5_PROMPT_TYPE_PREAUTH prompt type is ambiguous
> and I agree with Nico that the set of prompt_type defines needs to be
> expanded to better identify the types of prompt replies. 
> 
> Thoughts?

I agree with myself too :)  We need a fuller set of prompt type
definitions to cover the needs of all the pre-auth modules that exist
now, and when new modules are added or when new prompts are added to
existing modules we should add new prompt types as necessary.

Nico
--