[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: krb5_get_init_creds_opt_set_pkinit() API Help

To: "Henry B. Hotz" <hotz@jpl.nasa.gov>
Subject: Re: krb5_get_init_creds_opt_set_pkinit() API Help
From: "Douglas E. Engert" <deengert@anl.gov>
Date: Mon, 18 Jun 2007 06:12:21 -0500
CC: Heimdal discuss <heimdal-discuss@sics.se>
In-Reply-To: <94108934-D602-4A29-ACB7-5858457EF85F@jpl.nasa.gov>
List-Archive: <http://list.sics.se/sympa/arc/heimdal-discuss>
List-Help: <mailto:sympa@sics.se?subject=help>
List-Id: <heimdal-discuss.sics.se>
List-Owner: <mailto:heimdal-discuss-request@sics.se>
List-Post: <mailto:heimdal-discuss@sics.se>
List-Subscribe: <mailto:sympa@sics.se?subject=subscribe%20heimdal-discuss>
List-Unsubscribe: <mailto:sympa@sics.se?subject=unsubscribe%20heimdal-discuss>
References: <94108934-D602-4A29-ACB7-5858457EF85F@jpl.nasa.gov>
Reply-To: heimdal-discuss@sics.se, "Douglas E. Engert" <deengert@anl.gov>
User-Agent: Thunderbird 1.5.0.12 (Windows/20070509)



Henry B. Hotz wrote:
> The specific problem I have is how do I prevent the command line prompt 
> generated by this call.  I've traced it as far as _krb5_load_id(), but . 
> . .
> 
> I may not be asking the right list, because the prompt is "PIN code for 
> SCR331 USB Smart Card Reader 0 0:". It may be generated by the OpenSC
> pkcs11 library 

No, it is from Heimdal lib/hx509/ks_p11.c to get the PIN to pass
to the pkcs11 login.

> rather than Heimdal, but I still need to suppress it 
> because my login module already has the PIN/password and already knows 
> whether it's a PIN or a password before it enters the Kerberos code.
> 
> Now I have some other questions about this module:
> 
> What are the flags?  Zero seems to work for me, but why might it be 2 or 
> some other value?
> 
> Why is the prompter function a required argument, if it's not used?

It should be used, did you pass one?

Russ Alberry's pam_krb5 version 3.5 should have an example of using
this routine with the prompter that worked for GDM to show th "PIN code for..."

> 
> Shouldn't there be a config option for the PK ID value (the -C argument 
> to kinit)?  In my case it's an interface library for a card reader, it 
> ought to default to some value for a given system.

The pam_krb5 would look in itsargs or for [appdefaults]  pkinit_user =
I don't think kinit has a default.


> ------------------------------------------------------------------------
> The opinions expressed in this message are mine,
> not those of Caltech, JPL, NASA, or the US Government.
> Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu
> 
> 

-- 

  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

Follow-Ups:
- Re: krb5_get_init_creds_opt_set_pkinit() API Help
  - From: "Henry B. Hotz" <hotz@jpl.nasa.gov>

References:
- krb5_get_init_creds_opt_set_pkinit() API Help
  - From: "Henry B. Hotz" <hotz@jpl.nasa.gov>

Prev by Date: Re: [Heimdal-source-changes] heimdal r21100 - trunk/heimdal/lib/hcrypto
Next by Date: heimdal and solaris 10 gssapi troubles
Prev by thread: krb5_get_init_creds_opt_set_pkinit() API Help
Next by thread: Re: krb5_get_init_creds_opt_set_pkinit() API Help
Index(es):
- Date
- Thread