Re: krb5_get_init_creds_opt_set_pkinit() API Help

["Henry B. Hotz" <hotz@jpl.nasa.gov>]

Question for Love at the bottom.

On Jun 18, 2007, at 4:12 AM, Douglas E. Engert wrote:

> Henry B. Hotz wrote:
>> The specific problem I have is how do I prevent the command line  
>> prompt generated by this call.  I've traced it as far as  
>> _krb5_load_id(), but . . .
>> I may not be asking the right list, because the prompt is "PIN  
>> code for SCR331 USB Smart Card Reader 0 0:". It may be generated  
>> by the OpenSC
>> pkcs11 library
>
> No, it is from Heimdal lib/hx509/ks_p11.c to get the PIN to pass
> to the pkcs11 login.

So, am I interpreting this right:  I need to provide a custom  
prompter function in order to get the PIN into the pkcs11 interface  
code (without actually prompting the user again)?

Thanks for the source pointer.  If I break out of the prompt in gdb  
the stack trace doesn't show where I really came from.

>> rather than Heimdal, but I still need to suppress it because my  
>> login module already has the PIN/password and already knows  
>> whether it's a PIN or a password before it enters the Kerberos code.
>> Now I have some other questions about this module:
>> What are the flags?  Zero seems to work for me, but why might it  
>> be 2 or some other value?
>> Why is the prompter function a required argument, if it's not used?
>
> It should be used, did you pass one?

I passed it the standard posix prompter, since it blows up if you  
pass NULL.

> Russ Alberry's pam_krb5 version 3.5 should have an example of using
> this routine with the prompter that worked for GDM to show th "PIN  
> code for..."

I also passed it some prompter data.  It was ignored, but I never  
verified that I gave it the right type.

I'll see if the example answers my questions.

>> Shouldn't there be a config option for the PK ID value (the -C  
>> argument to kinit)?  In my case it's an interface library for a  
>> card reader, it ought to default to some value for a given system.
>
> The pam_krb5 would look in itsargs or for [appdefaults]  pkinit_user =
> I don't think kinit has a default.

Love:  Do you agree that [appdefaults] kinit = { pkinit_user =  
pkcs11:....} is where this should go?  Should this be an app default  
or a lib default?  I'm perfectly willing to code an appdefault check,  
but I'd like some guidance that it's the right convention for future  
Heimdal releases.

My mind set is based on there being a standard global pkcs11 library  
like Solaris 10+ has (and some other OS's may acquire), and that  
ought to be the default value for the pkinit library code.  I can  
understand that you may want a specific user's pkcs12 file, but that  
oughtn't be in the system krb5.conf file.

------------------------------------------------------------------------
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu