[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: RFE: prompt_types, as with MIT krb5 1.2.x

To: Assar Westerlund <assar@sics.se>
Subject: Re: RFE: prompt_types, as with MIT krb5 1.2.x
From: Nicolas Williams <Nicolas.Williams@ubsw.com>
Date: Tue, 15 May 2001 11:19:33 -0400
Cc: Ken Raeburn <raeburn@MIT.EDU>, heimdal-discuss@sics.se
In-Reply-To: <5lheyohbr8.fsf@assaris.sics.se>; from assar@sics.se on Mon, May 14, 2001 at 05:04:27AM +0200
Mail-Followup-To: Assar Westerlund <assar@sics.se>,Ken Raeburn <raeburn@MIT.EDU>, heimdal-discuss@sics.se
References: <xofu23a4z9d.fsf@blubb.pdc.kth.se> <20010427084424.T17559@sm2p1386swk.wdr.com> <5lwv7nll5b.fsf@assaris.sics.se> <20010511155708.T26763@sm2p1386swk.wdr.com> <tx17kznej1i.fsf@mit.edu> <5lbsozh99y.fsf@assaris.sics.se> <20010511180120.K26763@sm2p1386swk.wdr.com> <5l4ruqk562.fsf@assaris.sics.se> <20010513001634.N26763@sm2p1386swk.wdr.com> <5lheyohbr8.fsf@assaris.sics.se>
Sender: owner-heimdal-discuss@sics.se

On Mon, May 14, 2001 at 05:04:27AM +0200, Assar Westerlund wrote:
> Nicolas Williams <Nicolas.Williams@ubsw.com> writes:
> > > Don't you call the prompter functions with no prompts for those cases?
> > 
> > MIT's krb5_gic_pwd() puts impending password expiration warnings, last
> > login messages, and so on in prompts.
> 
> Really?  Would do they do with the input?

Never mind. I was wrong. MIT krb5's krb5_gic_pwd() just uses the banner
argument for info prompts.

I have PAM on the brain...

> > Doh! I didn't look at it too closely. IIRC, that argument isn't actually
> > used anywhere... I'll have to check again...
> 
> ok, having the same signature is the first step.

And yes, the name argument is used, in lib/krb5/krb/preauth2.c:

 - name get the SAM type name

 - banner gets the SAM challenge label

 - one prompt get the SAM challenge, with prompt_type ==
   KRB5_PROMPT_TYPE_PREAUTH

Unfortunately, HW preauth support in MIT krb5 is incomplete. The US Navy
(Ken Hornstein) has patches to add CryptoCard and SecurId support to MIT krb5
1.1.1, but they can't be easily ported to MIT krb5 1.2.2 because the
infrastructure for doing HW preauth changed significantly between 1.1.1
and 1.2.x (it seems to have matured a lot).

Does Heimdal's OTP HW preauth work as a SAM challenge? Or is it
implemented as a different preauth type?

> /assar

Nico
--

Follow-Ups:
- Re: RFE: prompt_types, as with MIT krb5 1.2.x
  - From: Nicolas Williams <Nicolas.Williams@ubsw.com>
- Re: RFE: prompt_types, as with MIT krb5 1.2.x
  - From: Assar Westerlund <assar@sics.se>

References:
- Re: RFE: prompt_types, as with MIT krb5 1.2.x
  - From: Assar Westerlund <assar@sics.se>
- Re: RFE: prompt_types, as with MIT krb5 1.2.x
  - From: Nicolas Williams <Nicolas.Williams@ubsw.com>
- Re: RFE: prompt_types, as with MIT krb5 1.2.x
  - From: Ken Raeburn <raeburn@MIT.EDU>
- Re: RFE: prompt_types, as with MIT krb5 1.2.x
  - From: Assar Westerlund <assar@sics.se>
- Re: RFE: prompt_types, as with MIT krb5 1.2.x
  - From: Nicolas Williams <Nicolas.Williams@ubsw.com>
- Re: RFE: prompt_types, as with MIT krb5 1.2.x
  - From: Assar Westerlund <assar@sics.se>
- Re: RFE: prompt_types, as with MIT krb5 1.2.x
  - From: Nicolas Williams <Nicolas.Williams@ubsw.com>
- Re: RFE: prompt_types, as with MIT krb5 1.2.x
  - From: Assar Westerlund <assar@sics.se>

Prev by Date: Re: Compatibilty between MIT and Heimdal
Next by Date: Re: RFE: prompt_types, as with MIT krb5 1.2.x
Prev by thread: Re: RFE: prompt_types, as with MIT krb5 1.2.x
Next by thread: Re: RFE: prompt_types, as with MIT krb5 1.2.x
Index(es):
- Date
- Thread