Groups | Search | Server Info | Login | Register
Groups > comp.protocols.kerberos > #5402
| From | Nico Williams <nico@cryptonector.com> |
|---|---|
| Newsgroups | comp.protocols.kerberos |
| Subject | Re: IAKERB Starter Credentials Solution |
| Date | 2025-04-26 11:36 -0500 |
| Organization | TNet Consulting |
| Message-ID | <mailman.184.1745685412.2322.kerberos@mit.edu> (permalink) |
| References | <CAGMFw4jy=ceiETpLu9Aa1W0TYnjHedW3DMx7fss4XFrD-HzN=w@mail.gmail.com> <aA0Lm7Ln7IU3t22Z@ubby> |
On Sat, Apr 26, 2025 at 10:39:02AM -0400, Michael B Allen wrote: > I'm drilling down into IAKERB right now and I had a thought ... > > Unlike regular Kerberos where the initiator has a ticket from the ccache > already acquired in a separate authentication step, IAKERB needs "starter" > credentials like a principal name and plaintext password. > > So how does an IAKERB initiator get the client principal name and password? See: - gss_acquire_cred_with_password() / gss_add_cred_with_password() - gss_acquire_cred_from() The problem with the above is that there is no way to interactively find out what the user must supply, but otherwise they work. And if the only thing the user needs besides a password is a one-time password or a smartcard then we could have new error codes by which to indicate this so the application can prompt for those and retry, so the lack of interactivity is not a big deal. OS X used to have a dialog pop-up for such things, but that did not work well. Rather than a callback I'd prefer to have a new major status code that indicates that the application must call a function to extract the prompts / supply answers, and this would use the partial security context handle to sequence things. Nico --
Back to comp.protocols.kerberos | Previous | Next | Find similar
Re: IAKERB Starter Credentials Solution Nico Williams <nico@cryptonector.com> - 2025-04-26 11:36 -0500
csiph-web