[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: heimdal 1.0.2RC6
--On Friday, January 11, 2008 04:34:47 PM -0800 "Henry B. Hotz"
> My issue with Heimdal is more localized than what you are addressing.
> Heimdal has a pkinit-specific call, krb5_get_init_creds_opt_set_pkinit(),
> which takes a "password" argument. The "password" in that case may
> decrypt a key file. In the pkcs11 case it may be the PIN for a smart
> card. It's never (I don't think) an actual Kerberos password in the
> usual sense.
I think you're making a different distinction than I am. For me, the
question is not whether it's a "Kerberos password" in the sense that it can
be used to directly derive a key known to the KDC. Rather, the important
question is whether it's something like a Kerberos password or the key to
decrypt a key file, which can be used more or less with impunity, versus
the PIN for a smart card or similar device which will permanently lock you
out after a certain (small) number of incorrect attempts.
I don't want to end up in a situation where a user is locked out of his
smart card because he used some other password and the software first tried
using PKINIT with his password as the PIN. To avoid this sort of
situation, authenticating to such a device should be tried only with a PIN
the user has provided specifically for that purpose, and never with a
"password" that might also be used for some other purpose.
Naturally, I can't tell you what Love is thinking; we'll have to leave that
up to him.
I haven't checked the code, but I would expect the password given to
krb5_get_init_creds_opt_set_pkinit() to be one used when the KDC does not
support PKINIT and returns an AS-REP encrypted in the user's key.
> We agree (I think, and possibly disagree with Love) that
> krb5_get_init_creds_opt_set_pkinit() should only make one attempt, and
> should not loop.
I think we all agree on that point.