[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: krb5_get_init_creds_opt_set_pkinit() API Help

Henry B. Hotz wrote:
> The specific problem I have is how do I prevent the command line prompt 
> generated by this call.  I've traced it as far as _krb5_load_id(), but . 
> . .
> I may not be asking the right list, because the prompt is "PIN code for 
> SCR331 USB Smart Card Reader 0 0:". It may be generated by the OpenSC
> pkcs11 library 

No, it is from Heimdal lib/hx509/ks_p11.c to get the PIN to pass
to the pkcs11 login.

> rather than Heimdal, but I still need to suppress it 
> because my login module already has the PIN/password and already knows 
> whether it's a PIN or a password before it enters the Kerberos code.
> Now I have some other questions about this module:
> What are the flags?  Zero seems to work for me, but why might it be 2 or 
> some other value?
> Why is the prompter function a required argument, if it's not used?

It should be used, did you pass one?

Russ Alberry's pam_krb5 version 3.5 should have an example of using
this routine with the prompter that worked for GDM to show th "PIN code for..."

> Shouldn't there be a config option for the PK ID value (the -C argument 
> to kinit)?  In my case it's an interface library for a card reader, it 
> ought to default to some value for a given system.

The pam_krb5 would look in itsargs or for [appdefaults]  pkinit_user =
I don't think kinit has a default.

> ------------------------------------------------------------------------
> The opinions expressed in this message are mine,
> not those of Caltech, JPL, NASA, or the US Government.
> Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu


  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444