prompter type question
Jeffrey Hutzelman
jhutz at cmu.edu
Tue Mar 23 14:51:41 EDT 2010
--On Tuesday, March 23, 2010 12:31:09 PM -0400 Greg Hudson
<ghudson at mit.edu> wrote:
> On Mon, 2010-03-22 at 18:24 -0400, Nicolas Williams wrote:
>> But boy do we need prompt type information in pam_krb5!
> [...]
>> Yes, but the prompter may still need to know what this is about.
> [...]
>> Clearly it's OK to use it. But using it doesn't solve Will's problem.
> [...]
>> There's a set of prompt types that are specific to PKINIT that would
>> greatly help Will now:
>>
>> - insert-token
>> - enter-PIN
>> - enter-PIN-on-the-smartcard's-PIN-pad
>
> Can I have a bit more information about what Sun's pam_krb5
> implementation wants to do with the prompt types? We can probably add
> these three once I understand the need for them.
I don't speak for Sun, but...
It's important that PAM modules be able to distinguish prompts for multiple
things from each other, so that they can correctly associate prompts with
previously-collected replies when retrying an operation after a
conversation function returns PAM_CONV_AGAIN.
In addition, as the PAM framework's ability to pass previously-entered
responses between modules improves, it is important for PAM modules to be
able to tell what a prompt is for, so they can convey it correctly to other
modules. It would be bad to record the answer to a PIN prompt as if it
were a password; we have recently discussed the implications of such
confusion.
-- Jeff
More information about the krbdev
mailing list