[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: RFE: prompt_types, as with MIT krb5 1.2.x



Ken,

I just noticed that MIT krb5 1.2.2 lib/krb5/krb/preauth2.c:pa_sam()
does not call the gak_fct (get_as_key_function) -- it just uses the
gak_data directly, expecting it to be a password. Shouldn't it call
gak_fct instead, like lib/krb5/krb/preauth2.c:pa_enc_timestamp() does?

Nico


On Tue, May 15, 2001 at 11:19:33AM -0400, Nicolas Williams wrote:
> On Mon, May 14, 2001 at 05:04:27AM +0200, Assar Westerlund wrote:
> > Nicolas Williams <Nicolas.Williams@ubsw.com> writes:
> > > > Don't you call the prompter functions with no prompts for those cases?
> > > 
> > > MIT's krb5_gic_pwd() puts impending password expiration warnings, last
> > > login messages, and so on in prompts.
> > 
> > Really?  Would do they do with the input?
> 
> Never mind. I was wrong. MIT krb5's krb5_gic_pwd() just uses the banner
> argument for info prompts.
> 
> I have PAM on the brain...
> 
> > > Doh! I didn't look at it too closely. IIRC, that argument isn't actually
> > > used anywhere... I'll have to check again...
> > 
> > ok, having the same signature is the first step.
> 
> And yes, the name argument is used, in lib/krb5/krb/preauth2.c:
> 
>  - name get the SAM type name
> 
>  - banner gets the SAM challenge label
> 
>  - one prompt get the SAM challenge, with prompt_type ==
>    KRB5_PROMPT_TYPE_PREAUTH
> 
> Unfortunately, HW preauth support in MIT krb5 is incomplete. The US Navy
> (Ken Hornstein) has patches to add CryptoCard and SecurId support to MIT krb5
> 1.1.1, but they can't be easily ported to MIT krb5 1.2.2 because the
> infrastructure for doing HW preauth changed significantly between 1.1.1
> and 1.2.x (it seems to have matured a lot).
> 
> Does Heimdal's OTP HW preauth work as a SAM challenge? Or is it
> implemented as a different preauth type?
> 
> > /assar
> 
> 
> Nico
> --
> 
> .
--