Project review: response sets
Nico Williams
nico at cryptonector.com
Fri Jul 13 17:34:06 EDT 2012
On Fri, Jul 13, 2012 at 4:05 PM, Nathaniel McCallum
<npmccallum at redhat.com> wrote:
> On Fri, 2012-07-13 at 15:48 -0500, Nico Williams wrote:
>> I do think it follows that the pre-auth plugin should do the
>> validation. I don't think it follows that we must use void * instead
>> of char *.
>
> In fact, it does. The "answer" is definitely non-trivial. It is NOT
> simply a password. A typical reply looks like this (assuming a bunch of
> relevant data is generated by the plugin and not the application):
> 1. Which token was used. This is an index into the question array.
> 2. The token (format validated)
> 3. The pin
> 4. Flags
Excuse my ignorance, but why are flags necessary in the context of
prompting the user? You don't mean that the application should be
responsible for interfacing with hardware tokens plugged into token
slots, do you?
Nico
--
More information about the krbdev
mailing list