In the prompter, you can call krb5_get_prompt_types() to get an array of types for each prompt. (It may return NULL in some cases.) If the prompt type is KRB5_PROMPT_TYPE_PASSWORD, then you know you're being asked for the password. This should allow you to (1) disable password prompting when use_pkinit is set, and (2) store the password when try_pkinit is set and the library falls back. Is this sufficient?
More generally, I'm not sure the pam_krb5 module ought to be driving the decision to use PKINIT. For Heimdal it may be necessary to make PKINIT go at all, but MIT krb5 tries to control preauthentication from within libkrb5 and the KDC, so that new mechanisms can be added via loadable modules. That said, we do have this in 1.11: http://web.mit.edu/kerberos/krb5-latest/doc/appdev/init_creds.html#responder-callback (See also http://k5wiki.kerberos.org/wiki/Projects/Responder) However, it won't be integrated properly with PKINIT until 1.12. ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
