[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: RFE: prompt_types, as with MIT krb5 1.2.x

To: Assar Westerlund <assar@sics.se>, Ken Raeburn <raeburn@MIT.EDU>, heimdal-discuss@sics.se
Subject: Re: RFE: prompt_types, as with MIT krb5 1.2.x
From: Nicolas Williams <Nicolas.Williams@ubsw.com>
Date: Tue, 15 May 2001 11:26:17 -0400
In-Reply-To: <20010515111932.V26763@sm2p1386swk.wdr.com>; from willian on Tue, May 15, 2001 at 11:19:33AM -0400
Mail-Followup-To: Assar Westerlund <assar@sics.se>,Ken Raeburn <raeburn@MIT.EDU>, heimdal-discuss@sics.se
References: <20010427084424.T17559@sm2p1386swk.wdr.com> <5lwv7nll5b.fsf@assaris.sics.se> <20010511155708.T26763@sm2p1386swk.wdr.com> <tx17kznej1i.fsf@mit.edu> <5lbsozh99y.fsf@assaris.sics.se> <20010511180120.K26763@sm2p1386swk.wdr.com> <5l4ruqk562.fsf@assaris.sics.se> <20010513001634.N26763@sm2p1386swk.wdr.com> <5lheyohbr8.fsf@assaris.sics.se> <20010515111932.V26763@sm2p1386swk.wdr.com>
Sender: owner-heimdal-discuss@sics.se

Ken,

I just noticed that MIT krb5 1.2.2 lib/krb5/krb/preauth2.c:pa_sam()
does not call the gak_fct (get_as_key_function) -- it just uses the
gak_data directly, expecting it to be a password. Shouldn't it call
gak_fct instead, like lib/krb5/krb/preauth2.c:pa_enc_timestamp() does?

Nico


On Tue, May 15, 2001 at 11:19:33AM -0400, Nicolas Williams wrote:
> On Mon, May 14, 2001 at 05:04:27AM +0200, Assar Westerlund wrote:
> > Nicolas Williams <Nicolas.Williams@ubsw.com> writes:
> > > > Don't you call the prompter functions with no prompts for those cases?
> > > 
> > > MIT's krb5_gic_pwd() puts impending password expiration warnings, last
> > > login messages, and so on in prompts.
> > 
> > Really?  Would do they do with the input?
> 
> Never mind. I was wrong. MIT krb5's krb5_gic_pwd() just uses the banner
> argument for info prompts.
> 
> I have PAM on the brain...
> 
> > > Doh! I didn't look at it too closely. IIRC, that argument isn't actually
> > > used anywhere... I'll have to check again...
> > 
> > ok, having the same signature is the first step.
> 
> And yes, the name argument is used, in lib/krb5/krb/preauth2.c:
> 
>  - name get the SAM type name
> 
>  - banner gets the SAM challenge label
> 
>  - one prompt get the SAM challenge, with prompt_type ==
>    KRB5_PROMPT_TYPE_PREAUTH
> 
> Unfortunately, HW preauth support in MIT krb5 is incomplete. The US Navy
> (Ken Hornstein) has patches to add CryptoCard and SecurId support to MIT krb5
> 1.1.1, but they can't be easily ported to MIT krb5 1.2.2 because the
> infrastructure for doing HW preauth changed significantly between 1.1.1
> and 1.2.x (it seems to have matured a lot).
> 
> Does Heimdal's OTP HW preauth work as a SAM challenge? Or is it
> implemented as a different preauth type?
> 
> > /assar
> 
> 
> Nico
> --
> 
> .
--

Follow-Ups:
- Re: RFE: prompt_types, as with MIT krb5 1.2.x
  - From: Ken Raeburn <raeburn@MIT.EDU>

References:
- Re: RFE: prompt_types, as with MIT krb5 1.2.x
  - From: Assar Westerlund <assar@sics.se>
- Re: RFE: prompt_types, as with MIT krb5 1.2.x
  - From: Nicolas Williams <Nicolas.Williams@ubsw.com>
- Re: RFE: prompt_types, as with MIT krb5 1.2.x
  - From: Ken Raeburn <raeburn@MIT.EDU>
- Re: RFE: prompt_types, as with MIT krb5 1.2.x
  - From: Assar Westerlund <assar@sics.se>
- Re: RFE: prompt_types, as with MIT krb5 1.2.x
  - From: Nicolas Williams <Nicolas.Williams@ubsw.com>
- Re: RFE: prompt_types, as with MIT krb5 1.2.x
  - From: Assar Westerlund <assar@sics.se>
- Re: RFE: prompt_types, as with MIT krb5 1.2.x
  - From: Nicolas Williams <Nicolas.Williams@ubsw.com>
- Re: RFE: prompt_types, as with MIT krb5 1.2.x
  - From: Assar Westerlund <assar@sics.se>
- Re: RFE: prompt_types, as with MIT krb5 1.2.x
  - From: Nicolas Williams <Nicolas.Williams@ubsw.com>

Prev by Date: Re: RFE: prompt_types, as with MIT krb5 1.2.x
Next by Date: Re: RFE: prompt_types, as with MIT krb5 1.2.x
Prev by thread: Re: RFE: prompt_types, as with MIT krb5 1.2.x
Next by thread: Re: RFE: prompt_types, as with MIT krb5 1.2.x
Index(es):
- Date
- Thread