[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: heimdal 1.0.2RC6

To: heimdal-discuss@sics.se, Jeffrey Hutzelman <jhutz@cmu.edu>
Subject: Re: heimdal 1.0.2RC6
From: "Henry B. Hotz" <hotz@jpl.nasa.gov>
Date: Mon, 14 Jan 2008 16:05:36 -0800
Cc: Love Hörnquist Åstrand <lha@kth.se>
In-Reply-To: <D02F30A52755FE255ACA17B3@atlantis.pc.cs.cmu.edu>
List-Archive: <http://list.sics.se/sympa/arc/heimdal-discuss>
List-Help: <mailto:sympa@sics.se?subject=help>
List-Id: <heimdal-discuss.sics.se>
List-Owner: <mailto:heimdal-discuss-request@sics.se>
List-Post: <mailto:heimdal-discuss@sics.se>
List-Subscribe: <mailto:sympa@sics.se?subject=subscribe%20heimdal-discuss>
List-Unsubscribe: <mailto:sympa@sics.se?subject=unsubscribe%20heimdal-discuss>
References: <B7DB4A56-9C24-4EEE-A05F-B215E8BFDA66@kth.se> <8F8597E9-CFAF-435C-9AF4-9898095FD5AE@jpl.nasa.gov> <BE7006A6-D7FF-44F5-BE7C-1DC8EBEDB756@kth.se> <08F5A09D-D3C0-4547-BC72-7A136198C350@jpl.nasa.gov> <B32036EEA637C956320B87A9@atlantis.pc.cs.cmu.edu> <188E4851-A15D-42F3-9B7C-FD5B6AE99F18@jpl.nasa.gov> <D02F30A52755FE255ACA17B3@atlantis.pc.cs.cmu.edu>
Reply-To: heimdal-discuss@sics.se, "Henry B. Hotz" <hotz@jpl.nasa.gov>

On Jan 14, 2008, at 3:38 PM, Jeffrey Hutzelman wrote:

> I haven't checked the code, but I would expect the password given  
> to krb5_get_init_creds_opt_set_pkinit() to be one used when the KDC  
> does not support PKINIT and returns an AS-REP encrypted in the  
> user's key.

It's the one used to acquire the x509 credentials used with the  
pkinit pre-auth mechanism.  Unfortunately (IMO) if the creds are in a  
pkcs11 library (which might wrap a smart-card driver) then the  
password is ignored and it's left to the pkcs11 library to prompt the  
user for the password.

Or something like that, anyway.  I posted a backtrace for the code  
path which I didn't want to prompt.  I'm assuming that it could be  
"fixed" without creating the sorts of risks which you and Love are  
concerned about, because I would only call  
krb5_get_init_creds_opt_set_pkinit() once per user prompt in my  
application of it.
------------------------------------------------------------------------
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu

References:
- Re: heimdal 1.0.2RC6
  - From: Jeffrey Hutzelman <jhutz@cmu.edu>
- Re: heimdal 1.0.2RC6
  - From: "Henry B. Hotz" <hotz@jpl.nasa.gov>
- Re: heimdal 1.0.2RC6
  - From: Jeffrey Hutzelman <jhutz@cmu.edu>

Prev by Date: Re: heimdal 1.0.2RC6
Next by Date: Re: Windows machine accounts and keytabs
Prev by thread: Re: heimdal 1.0.2RC6
Next by thread: Re: windows interop
Index(es):
- Date
- Thread