Getting the password in a preauth plugin

Yair Yarom irush at
Wed Apr 18 04:47:44 EDT 2012

Greg Hudson <ghudson at MIT.EDU> writes:

> On 04/16/2012 09:13 AM, Yair Yarom wrote:
>> In a preauth plugin, in the client process function, I want to get the
>> user's password if available. I want the password itself, and if the
>> user hasn't entered it yet don't prompt for it (I'll call the prompter
>> later for that purpose). 
>> Is there a correct way to get it?
> Not in the current preauth interface, and as far as I understand the
> design, that's deliberate.  The method you're currently using will
> probably fail badly if the caller tries to authenticate with a keytab.
> Can you explain more about what you're doing?  We could potentially
> provide a password callback in a future version of the interface, given
> a good reason.

My preauth plugin is based on Nordberg's FAST OTP plugin. I want to get
a ticket through pam, but some applications set the username and
password and don't support the pam conversation properly. So I want to
use pam_krb5's {use,try,force}_first_pass to try to avoid the pam
conversation completely. As such I need pam_krb5 to pass the password to
the plugin without prompting.

My other solution is to ask pam_krb5 to blindly answer the prompt with
the password, but I can already see several problems with this solution.


More information about the krbdev mailing list