[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: heimdal 1.0.2RC6

On Jan 14, 2008, at 3:38 PM, Jeffrey Hutzelman wrote:

> I haven't checked the code, but I would expect the password given  
> to krb5_get_init_creds_opt_set_pkinit() to be one used when the KDC  
> does not support PKINIT and returns an AS-REP encrypted in the  
> user's key.

It's the one used to acquire the x509 credentials used with the  
pkinit pre-auth mechanism.  Unfortunately (IMO) if the creds are in a  
pkcs11 library (which might wrap a smart-card driver) then the  
password is ignored and it's left to the pkcs11 library to prompt the  
user for the password.

Or something like that, anyway.  I posted a backtrace for the code  
path which I didn't want to prompt.  I'm assuming that it could be  
"fixed" without creating the sorts of risks which you and Love are  
concerned about, because I would only call  
krb5_get_init_creds_opt_set_pkinit() once per user prompt in my  
application of it.
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu