Getting the password in a preauth plugin
Yair Yarom
irush at cs.huji.ac.il
Wed Apr 18 04:47:44 EDT 2012
Greg Hudson <ghudson at MIT.EDU> writes:
> On 04/16/2012 09:13 AM, Yair Yarom wrote:
>> In a preauth plugin, in the client process function, I want to get the
>> user's password if available. I want the password itself, and if the
>> user hasn't entered it yet don't prompt for it (I'll call the prompter
>> later for that purpose).
>
>> Is there a correct way to get it?
>
> Not in the current preauth interface, and as far as I understand the
> design, that's deliberate. The method you're currently using will
> probably fail badly if the caller tries to authenticate with a keytab.
>
> Can you explain more about what you're doing? We could potentially
> provide a password callback in a future version of the interface, given
> a good reason.
My preauth plugin is based on Nordberg's FAST OTP plugin. I want to get
a ticket through pam, but some applications set the username and
password and don't support the pam conversation properly. So I want to
use pam_krb5's {use,try,force}_first_pass to try to avoid the pam
conversation completely. As such I need pam_krb5 to pass the password to
the plugin without prompting.
My other solution is to ask pam_krb5 to blindly answer the prompt with
the password, but I can already see several problems with this solution.
Yair.
More information about the krbdev
mailing list