I'm finally revisiting PKINIT prompting in pam-krb5 and am trying to wrap my head around some subtle nuances of behavior to be sure I'm doing reasonable things. Thus, a few questions:
1. The normal prompter interface has a mechanism to send a "name" and a "banner". Neither of these are very well-documented, but the current PAM module behavior is to output them both (name first, then banner) as PAM_TEXT_INFO. I don't see any equivalent in the responder API. How does that work? Is the prompter called with the name and banner but an empty list of prompts and the responder called with the actual questions, if both are given? In what order? I naively would have expected some way to use the responder interface to completely replace the prompter interface, but that doesn't seem to be possible because name and banner aren't supported. 2. Revisiting this message from many years ago: http://mailman.mit.edu/pipermail/kerberos/2013-May/018973.html the suggestion for use_pkinit was to have a prompter that declined to respond to password questions and only passed along preauth questions. This would be an alternative approach to using the responder API. However, this prompts a question: how does a prompter decline to respond to a question? Should the prompter return failure if KRB5_PROMPT_TYPE_PASSWORD appears anywhere in krb5_get_prompt_types, presumably without displaying the name or banner? If so, what status code? 3. How can I trigger MIT Kerberos to send a PKINIT prompt with multiple identities so that I can test the code that prompts the user to select one? The code seems determined to prevent me from specifying multiple pkinit_identities. Only the first one in krb5.conf appears to be honored and any subsequent ones are ignored, and kinit doesn't allow X509_user_identity to be set more than once. Do I *have* to have a PKCS11 module to get to that code path, and I cannot access it with FILE or PKCS12 identities? Finally, more a bug report than a question, but MIT Kerberos 1.17, when given a PKCS12 identity file that's protected with a password (which is what I'm using to test PIN prompting) prompts for the password twice. The second time appears to be during the krb5_verify_init_creds call. What's going on here? The user experience is a little odd. kinit only prompts once, but I think that's because kinit never calls krb5_verify_init_creds. -- Russ Allbery (ea...@eyrie.org) <https://www.eyrie.org/~eagle/> ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
