Getting the password in a preauth plugin

[Nathaniel McCallum]

On Wed, 2012-04-18 at 11:47 +0300, Yair Yarom wrote:
> Greg Hudson <ghudson at MIT.EDU> writes:
> 
> > On 04/16/2012 09:13 AM, Yair Yarom wrote:
> >> In a preauth plugin, in the client process function, I want to get the
> >> user's password if available. I want the password itself, and if the
> >> user hasn't entered it yet don't prompt for it (I'll call the prompter
> >> later for that purpose). 
> >
> >> Is there a correct way to get it?
> >
> > Not in the current preauth interface, and as far as I understand the
> > design, that's deliberate.  The method you're currently using will
> > probably fail badly if the caller tries to authenticate with a keytab.
> >
> > Can you explain more about what you're doing?  We could potentially
> > provide a password callback in a future version of the interface, given
> > a good reason.
> 
> My preauth plugin is based on Nordberg's FAST OTP plugin.

That project is dead, but has been folded into AuthHub:
https://fedorahosted.org/AuthHub/

I would avoid using it as a base. You could do the same thing as an
AuthHub plugin with a lot less work.

> I want to get
> a ticket through pam, but some applications set the username and
> password and don't support the pam conversation properly. So I want to
> use pam_krb5's {use,try,force}_first_pass to try to avoid the pam
> conversation completely. As such I need pam_krb5 to pass the password to
> the plugin without prompting.
> 
> My other solution is to ask pam_krb5 to blindly answer the prompt with
> the password, but I can already see several problems with this solution.

I don't think there is a good solution to this problem.

Nathaniel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
Url : http://mailman.mit.edu/pipermail/krbdev/attachments/20120418/265ab7b3/attachment.bin