[3718] in Kerberos-V5-bugs
Re: [krbdev.mit.edu #1278] No prompter interface for krb5_get_init_creds_keytab
daemon@ATHENA.MIT.EDU (Sam Hartman via RT)
Thu Dec 19 00:55:28 2002
Mail-Followup-To: rt@krbdev.mit.edu
Message-Id: <rt-1278-3798.2.61824673488221@krbdev.mit.edu>
In-Reply-To: <rt-1278@krbdev.mit.edu>
From: "Sam Hartman via RT" <rt-comment@krbdev.mit.edu>
Reply-To: rt-comment@krbdev.mit.edu
Mail-Copies-To: never
To: kenh@mit.edu
Cc: krbdev@mit.edu, krb5-prs@mit.edu
Errors-To: krb5-bugs-admin@mit.edu
Date: Thu, 19 Dec 2002 00:54:11 -0500 (EST)
So, note that there are two sides to the interaction. I think the
current interface correctly handles the case where you want the
preaauth mechanism to interact with a user using an
application-supplied prompter function.
This is mechanism-independent and similar to PAM conversation functions.
Ken pointed out that we have no way of setting this up while using a
keytab to get a long-term key. I agree that this functionality should
be offered and agreed to accept the functionality if code is
committed.
I disagree that Ken's use of the keytab interface for the hw-auth
draft is appropriate but don't believe he plans to give us that code,
so I'm not sure it matters.
None of this speaks to a related problem which is how we get preauth
mechanism specific data from an application or hardware device to that
mechanism. The current prompter interface is clearly appropriate (as
are things like PAM conversation functions within the PAM framework).
It sounds like Richard is addressing that problem rather than the user
interaction problem.
_______________________________________________
krb5-bugs mailing list
krb5-bugs@mit.edu
http://mailman.mit.edu/mailman/listinfo/krb5-bugs
