[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: heimdal 1.0.2RC6

On Jan 11, 2008, at 1:52 PM, Jeffrey Hutzelman wrote:

> --On Thursday, December 13, 2007 12:56:07 PM -0800 "Henry B. Hotz"  
> <hotz@jpl.nasa.gov> wrote:
>> I would be happy if it didn't loop at all.  For the use cases I  
>> currently
>> have the looping ought to be done at the application layer, not in
>> Heimdal, but it might be easier to just re-run the app.  (E.g. login
>> fails.  Just try to log in again.)  Does this make it easier?
> No; the problem is that bad or just incorrectly configured code can  
> end up trying multiple times with the same password, without  
> notifying the user. We've seen the same thing, though fortunately  
> never in a case where the "password" was being used as a PIN,  
> because I agree with Love -- something which is passed around as a  
> "password" is very often _not_ a PIN for a smartcard or other  
> token, and treating it that way can make the user very sad.
> -- Jeff

My issue with Heimdal is more localized than what you are  
addressing.  Heimdal has a pkinit-specific call,  
krb5_get_init_creds_opt_set_pkinit(), which takes a "password"  
argument.  The "password" in that case may decrypt a key file.  In  
the pkcs11 case it may be the PIN for a smart card.  It's never (I  
don't think) an actual Kerberos password in the usual sense.

We agree (I think, and possibly disagree with Love) that  
krb5_get_init_creds_opt_set_pkinit() should only make one attempt,  
and should not loop.  I would also like it to actually make the one  
attempt without requiring a user prompt if the "password" argument is  

Looping behavior at higher levels is questionable, and could still  
cause the problems Love was worried about.

The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu