[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: krb5_get_init_creds_opt_set_pkinit() API Help

> The specific problem I have is how do I prevent the command line  
> prompt generated by this call.  I've traced it as far as  
> _krb5_load_id(), but . . .
> I may not be asking the right list, because the prompt is "PIN code  
> for SCR331 USB Smart Card Reader 0 0:".  It may be generated by the  
> OpenSC pkcs11 library rather than Heimdal, but I still need to  
> suppress it because my login module already has the PIN/password  
> and already knows whether it's a PIN or a password before it enters  
> the Kerberos code.
> Now I have some other questions about this module:
> What are the flags?  Zero seems to work for me, but why might it be  
> 2 or some other value?

Zero is just fine. 2 is a hack to force encKey.

> Why is the prompter function a required argument, if it's not used?

Its used, the reason the p11 module doesn't read the password is to  
avoid locking up the card. I didn't trust myself to get that right in  
the first try
after killing two cards the same day in another codebase.

> Shouldn't there be a config option for the PK ID value (the -C  
> argument to kinit)?  In my case it's an interface library for a  
> card reader, it ought to default to some value for a given system.

There is, for kinit, but not for the library.