[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: heimdal 1.0.2RC6

To: heimdal-discuss@sics.se, Jeffrey Hutzelman <jhutz@cmu.edu>
Subject: Re: heimdal 1.0.2RC6
From: "Henry B. Hotz" <hotz@jpl.nasa.gov>
Date: Fri, 11 Jan 2008 16:34:47 -0800
Cc: Love Hörnquist Åstrand <lha@kth.se>
In-Reply-To: <B32036EEA637C956320B87A9@atlantis.pc.cs.cmu.edu>
List-Archive: <http://list.sics.se/sympa/arc/heimdal-discuss>
List-Help: <mailto:sympa@sics.se?subject=help>
List-Id: <heimdal-discuss.sics.se>
List-Owner: <mailto:heimdal-discuss-request@sics.se>
List-Post: <mailto:heimdal-discuss@sics.se>
List-Subscribe: <mailto:sympa@sics.se?subject=subscribe%20heimdal-discuss>
List-Unsubscribe: <mailto:sympa@sics.se?subject=unsubscribe%20heimdal-discuss>
References: <B7DB4A56-9C24-4EEE-A05F-B215E8BFDA66@kth.se> <8F8597E9-CFAF-435C-9AF4-9898095FD5AE@jpl.nasa.gov> <BE7006A6-D7FF-44F5-BE7C-1DC8EBEDB756@kth.se> <08F5A09D-D3C0-4547-BC72-7A136198C350@jpl.nasa.gov> <B32036EEA637C956320B87A9@atlantis.pc.cs.cmu.edu>
Reply-To: heimdal-discuss@sics.se, "Henry B. Hotz" <hotz@jpl.nasa.gov>

On Jan 11, 2008, at 1:52 PM, Jeffrey Hutzelman wrote:

> --On Thursday, December 13, 2007 12:56:07 PM -0800 "Henry B. Hotz"  
> <hotz@jpl.nasa.gov> wrote:
>
>> I would be happy if it didn't loop at all.  For the use cases I  
>> currently
>> have the looping ought to be done at the application layer, not in
>> Heimdal, but it might be easier to just re-run the app.  (E.g. login
>> fails.  Just try to log in again.)  Does this make it easier?
>
> No; the problem is that bad or just incorrectly configured code can  
> end up trying multiple times with the same password, without  
> notifying the user. We've seen the same thing, though fortunately  
> never in a case where the "password" was being used as a PIN,  
> because I agree with Love -- something which is passed around as a  
> "password" is very often _not_ a PIN for a smartcard or other  
> token, and treating it that way can make the user very sad.
>
> -- Jeff

My issue with Heimdal is more localized than what you are  
addressing.  Heimdal has a pkinit-specific call,  
krb5_get_init_creds_opt_set_pkinit(), which takes a "password"  
argument.  The "password" in that case may decrypt a key file.  In  
the pkcs11 case it may be the PIN for a smart card.  It's never (I  
don't think) an actual Kerberos password in the usual sense.

We agree (I think, and possibly disagree with Love) that  
krb5_get_init_creds_opt_set_pkinit() should only make one attempt,  
and should not loop.  I would also like it to actually make the one  
attempt without requiring a user prompt if the "password" argument is  
present.

Looping behavior at higher levels is questionable, and could still  
cause the problems Love was worried about.

------------------------------------------------------------------------
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu

Follow-Ups:
- Re: heimdal 1.0.2RC6
  - From: Jeffrey Hutzelman <jhutz@cmu.edu>

References:
- Re: heimdal 1.0.2RC6
  - From: Jeffrey Hutzelman <jhutz@cmu.edu>

Prev by Date: Re: windows interop
Next by Date: Re: Fixes required to make test suite work (at least with hdb_ldap enabled)
Prev by thread: Re: heimdal 1.0.2RC6
Next by thread: Re: heimdal 1.0.2RC6
Index(es):
- Date
- Thread