prompter type question
Jeffrey Hutzelman
jhutz at cmu.edu
Tue Mar 23 15:14:03 EDT 2010
--On Tuesday, March 23, 2010 02:00:48 PM -0500 Nicolas Williams
<Nicolas.Williams at sun.com> wrote:
> On Tue, Mar 23, 2010 at 11:51:41AM -0700, Jeffrey Hutzelman wrote:
>> --On Tuesday, March 23, 2010 12:31:09 PM -0400 Greg Hudson
>> <ghudson at mit.edu> wrote:
>> > Can I have a bit more information about what Sun's pam_krb5
>> > implementation wants to do with the prompt types? We can probably add
>> > these three once I understand the need for them.
>>
>> I don't speak for Sun, but...
>
> ... you did a good job :)
>
>> It's important that PAM modules be able to distinguish prompts for
>> multiple things from each other, so that they can correctly
>> associate prompts with previously-collected replies when retrying an
>> operation after a conversation function returns PAM_CONV_AGAIN.
>>
>> In addition, as the PAM framework's ability to pass
>> previously-entered responses between modules improves, it is
>> important for PAM modules to be able to tell what a prompt is for,
>> so they can convey it correctly to other modules. It would be bad
>> to record the answer to a PIN prompt as if it were a password; we
>> have recently discussed the implications of such confusion.
Actually, I missed mentioning another reason for having distinct prompt
types for each piece of information, and for things like "insert token".
The client may not necessarily be a PAM module. In fact, it might be some
kind of indirection or automation, in which case it would need separate
prompt types in order to have a prayer of understanding what you're asking
it to do.
-- Jeff
More information about the krbdev
mailing list