[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: RFE: prompt_types, as with MIT krb5 1.2.x

On Mon, May 14, 2001 at 05:04:27AM +0200, Assar Westerlund wrote:
> Nicolas Williams <Nicolas.Williams@ubsw.com> writes:
> > > Don't you call the prompter functions with no prompts for those cases?
> > 
> > MIT's krb5_gic_pwd() puts impending password expiration warnings, last
> > login messages, and so on in prompts.
> Really?  Would do they do with the input?

Never mind. I was wrong. MIT krb5's krb5_gic_pwd() just uses the banner
argument for info prompts.

I have PAM on the brain...

> > Doh! I didn't look at it too closely. IIRC, that argument isn't actually
> > used anywhere... I'll have to check again...
> ok, having the same signature is the first step.

And yes, the name argument is used, in lib/krb5/krb/preauth2.c:

 - name get the SAM type name

 - banner gets the SAM challenge label

 - one prompt get the SAM challenge, with prompt_type ==

Unfortunately, HW preauth support in MIT krb5 is incomplete. The US Navy
(Ken Hornstein) has patches to add CryptoCard and SecurId support to MIT krb5
1.1.1, but they can't be easily ported to MIT krb5 1.2.2 because the
infrastructure for doing HW preauth changed significantly between 1.1.1
and 1.2.x (it seems to have matured a lot).

Does Heimdal's OTP HW preauth work as a SAM challenge? Or is it
implemented as a different preauth type?

> /assar