[39511] in Kerberos
Re: IAKERB Starter Credentials Solution
daemon@ATHENA.MIT.EDU (Nico Williams)
Sat Apr 26 12:38:11 2025
Date: Sat, 26 Apr 2025 11:36:43 -0500
From: Nico Williams <nico@cryptonector.com>
To: Michael B Allen <ioplex@gmail.com>
Cc: kerberos <kerberos@mit.edu>
Message-ID: <aA0Lm7Ln7IU3t22Z@ubby>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <CAGMFw4jy=ceiETpLu9Aa1W0TYnjHedW3DMx7fss4XFrD-HzN=w@mail.gmail.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Sat, Apr 26, 2025 at 10:39:02AM -0400, Michael B Allen wrote:
> I'm drilling down into IAKERB right now and I had a thought ...
>
> Unlike regular Kerberos where the initiator has a ticket from the ccache
> already acquired in a separate authentication step, IAKERB needs "starter"
> credentials like a principal name and plaintext password.
>
> So how does an IAKERB initiator get the client principal name and password?
See:
- gss_acquire_cred_with_password() / gss_add_cred_with_password()
- gss_acquire_cred_from()
The problem with the above is that there is no way to interactively find
out what the user must supply, but otherwise they work. And if the only
thing the user needs besides a password is a one-time password or a
smartcard then we could have new error codes by which to indicate this
so the application can prompt for those and retry, so the lack of
interactivity is not a big deal.
OS X used to have a dialog pop-up for such things, but that did not work
well.
Rather than a callback I'd prefer to have a new major status code that
indicates that the application must call a function to extract the
prompts / supply answers, and this would use the partial security
context handle to sequence things.
Nico
--
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
