[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: heimdal 1.0.2RC6
Hello,
Its the pkcs11 module i heimdal that distrusts passwords, the reason
is that I locked one too many card with looping code that tries more
the 3 times with wrong pin codes and thus locks the code.
It should be made to handle the password/prompting better.
Love
12 dec 2007 kl. 03.04 skrev Henry B. Hotz:
> This is actually from RC5, but I suspect you haven't changed anything.
>
> Adding a password to krb5_get_init_creds_opt_set_pkinit() seems to
> have no effect, at least when pkcs11 is used for the user cert. You
> *still* get prompted for the PIN by the library. It looks like the
> password argument gets lost in the hx509 stuff somewhere between
> _krb5_pk_load_id() and p11_init_slot(). I believe some other code
> works around this by writing their own prompter function. I'd
> rather that wasn't needed.
>
> Breakpoint 1, krb5_prompter_posix (context=0x1100f50, data=0x0,
> name=0x0, banner=0x0, num_prompts=1, prompts=0xbffff4b8) at
> prompter_posix.c:48
> 48 if (name)
> (gdb) bt
> #0 krb5_prompter_posix (context=0x1100f50, data=0x0, name=0x0,
> banner=0x0, num_prompts=1, prompts=0xbffff4b8) at prompter_posix.c:48
> #1 0x00239c75 in hx_pass_prompter (data=0xbffff7f8,
> prompter=0xbffff55c) at pkinit.c:1415
> #2 0x003ee458 in hx509_lock_prompt (lock=0x11033d0,
> prompt=0xbffff55c) at lock.c:206
> #3 0x003ea611 in p11_get_session (context=0x1103330, p=0x1103080,
> slot=0x110a540, lock=0x11033d0, psession=0xbffff6d0) at ks_p11.c:433
> #4 0x003ea3b4 in p11_init_slot (context=0x1103330, p=0x1103080,
> lock=0x11033d0, id=0, num=0, slot=0x110a540) at ks_p11.c:352
> #5 0x003eb54a in p11_init (context=0x1103330, certs=0x1103040,
> data=0x1103048, flags=0, residue=0x1f9b "/Library/OpenSC/lib/opensc-
> pkcs11.so", lock=0x11033d0) at ks_p11.c:909
> #6 0x003e768c in hx509_certs_init (context=0x1103330, name=0x1f94
> "pkcs11:/Library/OpenSC/lib/opensc-pkcs11.so", flags=0,
> lock=0x11033d0, certs=0x1103318) at keyset.c:118
> #7 0x00239e47 in _krb5_pk_load_id (context=0x1100f50,
> ret_id=0x11034d0, user_id=0x1f94 "pkcs11:/Library/OpenSC/lib/opensc-
> pkcs11.so", anchor_id=0x11034f0 "FILE:/Library/KerberosCerts/
> cacert.pem", chain_list=0x0, revoke_list=0x0, prompter=0x23d62a
> <krb5_prompter_posix>, prompter_data=0x0, password=0xbffffa75 "abc")
> at pkinit.c:1487
> #8 0x0023aecb in krb5_get_init_creds_opt_set_pkinit
> (context=0x1100f50, opt=0x1103440, principal=0x1103430,
> user_id=0x1f94 "pkcs11:/Library/OpenSC/lib/opensc-pkcs11.so",
> x509_anchors=0x11034f0 "FILE:/Library/KerberosCerts/cacert.pem",
> pool=0x0, pki_revoke=0x0, flags=0, prompter=0x23d62a
> <krb5_prompter_posix>, prompter_data=0x0, password=0xbffffa75 "abc")
> at pkinit.c:1973
> #9 0x00001e06 in KLoginPrincipal (principal=0xbffffa5e "hotz@HOTZ.JPL.NASA.GOV
> ", password=0xbffffa75 "abc") at ttest.c:51
> #10 0x00001f26 in main (argc=3, argv=0xbffff998) at ttest.c:88
> (gdb)
>
> On Dec 9, 2007, at 8:35 AM, Love Hörnquist Åstrand wrote:
>
>> Hello,
>>
>> There is now a 1.0.2RC6 on the snapshot on the ftp area (also mac
>> and ubuntu binaries).
>>
>> Will do a release of 1.0.2 in the middle of next week unless
>> something pops up.
>>
>> Love
>
> ------------------------------------------------------------------------
> The opinions expressed in this message are mine,
> not those of Caltech, JPL, NASA, or the US Government.
> Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu
>
>