[38701] in Kerberos
Re: Nuances of MIT Kerberos prompting
daemon@ATHENA.MIT.EDU (Greg Hudson)
Mon Mar 9 01:05:26 2020
To: Russ Allbery <eagle@eyrie.org>
From: Greg Hudson <ghudson@mit.edu>
Message-ID: <015ca06b-dc8a-f722-4e52-1c96a3276ec0@mit.edu>
Date: Mon, 9 Mar 2020 01:02:56 -0400
MIME-Version: 1.0
In-Reply-To: <87zhcq2y7b.fsf@hope.eyrie.org>
Content-Language: en-US
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On 3/8/20 8:01 PM, Russ Allbery wrote:
> I think the reason why I am confused by this is that Heimdal uses the
> prompter to pass along informational messages such as "your principal is
> about to expire," and I wasn't sure how MIT Kerberos would do the same
> thing with the responder interface. But maybe it doesn't present those
> messages, or uses the prompter for them even if a responder is provided
> and answers the actual questions?
In MIT krb5 you can set an expire callback
(krb5_get_init_creds_opt_set_expire_callback()); otherwise the prompter
is used if present, whether or not a responder is provided.
[Regarding the double prompt:]
> Here's the trace output, but it's not very useful since it seems to end
> after the authentication and doesn't include the verify attempt.
Yeah, I don't see an explanation there. A PKINIT PKCS12 prompter call
should be preceded by a "PKINIT initial PKCS12_parse with no password
failed" message. There are two such trace messages, but the first comes
during prep_questions(), when prompting is deferred (instead, the
identity is saved and a question for the responder is generated).
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
