gnome-keyring Obtaining a TGT without unrestricted access to password.
David Woodhouse
dwmw2 at infradead.org
Thu Jun 16 06:53:58 EDT 2011
On Thu, 2011-06-16 at 12:40 +0200, Guido Günther wrote:
> How does this integrate with PKINIT and FAST? The reason
> krb5-auth-dialog relies krb5_get_init_creds_* is that the Kerberos
> library handles asking for the right authentication (Password or e.g.
> smartcard PIN) at the moment.
In the case where you are using password authentication, currently
krb5-auth-dialog calls krb5_get_init_creds_password().
That will internally call krb5int_get_init_creds() with a pointer to the
krb5_get_as_key_password() function, which gets called when the key is
required.
If you were to (somehow) call krb5int_get_init_creds() with a pointer to
your *own* get_as_key function, your get_as_key function could return a
krb5_keyblock for a "special" key. As discussed, that key is exactly
like a a key in a hardware/PKCS#11 token, where we don't actually have
the private key data, so we have to call out to the 'token' perform the
operations with that key, instead of trying to do the maths for
ourselves.
And of course if gkr isn't present or isn't playing, your get_as_key
function would just do everything the old way; perhaps just by calling
krb5_get_as_key_password() directly.
--
dwmw2
More information about the krbdev
mailing list