[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: heimdal 1.0.2RC6

--On Friday, January 11, 2008 04:34:47 PM -0800 "Henry B. Hotz" 
<hotz@jpl.nasa.gov> wrote:

> My issue with Heimdal is more localized than what you are addressing.
> Heimdal has a pkinit-specific call, krb5_get_init_creds_opt_set_pkinit(),
> which takes a "password" argument.  The "password" in that case may
> decrypt a key file.  In the pkcs11 case it may be the PIN for a smart
> card.  It's never (I don't think) an actual Kerberos password in the
> usual sense.

I think you're making a different distinction than I am.  For me, the 
question is not whether it's a "Kerberos password" in the sense that it can 
be used to directly derive a key known to the KDC.  Rather, the important 
question is whether it's something like a Kerberos password or the key to 
decrypt a key file, which can be used more or less with impunity, versus 
the PIN for a smart card or similar device which will permanently lock you 
out after a certain (small) number of incorrect attempts.

I don't want to end up in a situation where a user is locked out of his 
smart card because he used some other password and the software first tried 
using PKINIT with his password as the PIN.  To avoid this sort of 
situation, authenticating to such a device should be tried only with a PIN 
the user has provided specifically for that purpose, and never with a 
"password" that might also be used for some other purpose.

Naturally, I can't tell you what Love is thinking; we'll have to leave that 
up to him.

I haven't checked the code, but I would expect the password given to 
krb5_get_init_creds_opt_set_pkinit() to be one used when the KDC does not 
support PKINIT and returns an AS-REP encrypted in the user's key.

> We agree (I think, and possibly disagree with Love) that
> krb5_get_init_creds_opt_set_pkinit() should only make one attempt, and
> should not loop.

I think we all agree on that point.

-- Jeff