[16885] in Kerberos_V5_Development
Re: gnome-keyring Obtaining a TGT without unrestricted access to
daemon@ATHENA.MIT.EDU (David Woodhouse)
Thu Jun 16 06:54:14 2011
From: David Woodhouse <dwmw2@infradead.org>
To: Guido =?ISO-8859-1?Q?G=FCnther?= <agx@sigxcpu.org>
Date: Thu, 16 Jun 2011 11:53:58 +0100
In-Reply-To: <20110616104058.GB22281@bogon.sigxcpu.org>
Message-ID: <1308221639.3450.272.camel@i7.infradead.org>
Mime-Version: 1.0
Cc: Russ Allbery <rra@stanford.edu>, stefw@collabora.co.uk, krbdev@mit.edu,
gnome-keyring-list@gnome.org
Content-Type: text/plain; charset="utf-8"
Errors-To: krbdev-bounces@mit.edu
Content-Transfer-Encoding: 8bit
On Thu, 2011-06-16 at 12:40 +0200, Guido Günther wrote:> How does this integrate with PKINIT and FAST? The reason> krb5-auth-dialog relies krb5_get_init_creds_* is that the Kerberos> library handles asking for the right authentication (Password or e.g.> smartcard PIN) at the moment.
In the case where you are using password authentication, currentlykrb5-auth-dialog calls krb5_get_init_creds_password().
That will internally call krb5int_get_init_creds() with a pointer to thekrb5_get_as_key_password() function, which gets called when the key isrequired.
If you were to (somehow) call krb5int_get_init_creds() with a pointer toyour *own* get_as_key function, your get_as_key function could return akrb5_keyblock for a "special" key. As discussed, that key is exactlylike a a key in a hardware/PKCS#11 token, where we don't actually havethe private key data, so we have to call out to the 'token' perform theoperations with that key, instead of trying to do the maths forourselves.
And of course if gkr isn't present or isn't playing, your get_as_keyfunction would just do everything the old way; perhaps just by callingkrb5_get_as_key_password() directly.
-- dwmw2
_______________________________________________krbdev mailing list krbdev@mit.eduhttps://mailman.mit.edu/mailman/listinfo/krbdev
