[3713] in Kerberos-V5-bugs
Re: [krbdev.mit.edu #1278] No prompter interface for krb5_get_init_creds_keytab
daemon@ATHENA.MIT.EDU (Sam Hartman via RT)
Tue Dec 17 16:23:49 2002
Mail-Followup-To: rt@krbdev.mit.edu
Message-Id: <rt-1278-3792.12.629979033763@krbdev.mit.edu>
In-Reply-To: <rt-1278@krbdev.mit.edu>
From: "Sam Hartman via RT" <rt-comment@krbdev.mit.edu>
Reply-To: rt-comment@krbdev.mit.edu
Mail-Copies-To: never
To: kenh@mit.edu
Cc: krbdev@mit.edu, krb5-prs@mit.edu
Errors-To: krb5-bugs-admin@mit.edu
Date: Tue, 17 Dec 2002 16:22:19 -0500 (EST)
Marc, read the draft (draft-ietf-krb-wg-hw-auth) if you want to
understand what is going on.
I actually think that passing in this particular key as the keytab is
wrong, but since Ken is not planning on contributing the code that
uses this preauth type, just the new get_init_creds API, I don't have
to make that evaluation.
While I agree that keytabs are commonly used to by applications that
do not want user interaction, it does not seem unreasonable to use
them in other circumstances where using a prompter is appropriate.
Certainly it is possible to store a long-term key in a keytab even if
the KDC requires preauth for that key. In the current code base there
is not client side support for this case.
_______________________________________________
krb5-bugs mailing list
krb5-bugs@mit.edu
http://mailman.mit.edu/mailman/listinfo/krb5-bugs
