On 3/8/20 8:01 PM, Russ Allbery wrote: > I think the reason why I am confused by this is that Heimdal uses the > prompter to pass along informational messages such as "your principal is > about to expire," and I wasn't sure how MIT Kerberos would do the same > thing with the responder interface. But maybe it doesn't present those > messages, or uses the prompter for them even if a responder is provided > and answers the actual questions?
In MIT krb5 you can set an expire callback (krb5_get_init_creds_opt_set_expire_callback()); otherwise the prompter is used if present, whether or not a responder is provided. [Regarding the double prompt:] > Here's the trace output, but it's not very useful since it seems to end > after the authentication and doesn't include the verify attempt. Yeah, I don't see an explanation there. A PKINIT PKCS12 prompter call should be preceded by a "PKINIT initial PKCS12_parse with no password failed" message. There are two such trace messages, but the first comes during prep_questions(), when prompting is deferred (instead, the identity is saved and a question for the responder is generated). ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
