Greg Hudson <ghud...@mit.edu> writes: > On 3/8/20 8:01 PM, Russ Allbery wrote:
>> I think the reason why I am confused by this is that Heimdal uses the >> prompter to pass along informational messages such as "your principal >> is about to expire," and I wasn't sure how MIT Kerberos would do the >> same thing with the responder interface. But maybe it doesn't present >> those messages, or uses the prompter for them even if a responder is >> provided and answers the actual questions? > In MIT krb5 you can set an expire callback > (krb5_get_init_creds_opt_set_expire_callback()); otherwise the prompter > is used if present, whether or not a responder is provided. Oh! Okay, that makes sense. In this case, the prompter is called with just a banner but no question? > Yeah, I don't see an explanation there. A PKINIT PKCS12 prompter call > should be preceded by a "PKINIT initial PKCS12_parse with no password > failed" message. There are two such trace messages, but the first comes > during prep_questions(), when prompting is deferred (instead, the > identity is saved and a question for the responder is generated). I was wrong -- it's not during verify creds. (I finally realized that I had enough information that I could set a break point exactly where this happens and look at the call structure.) It appears to be called twice during krb5_get_init_creds_password. Here are the Kerberos library portions of the two backtraces (the prompt in both cases is identical). This is MIT Kerberos 1.17. The relevant difference seems to be in frame 4 and frame 5. Source embedded from the krb5-1.17-final tag. In both cases, k5_preauth then calls the responder. #3 0x00007ffff7f2fc9b in k5_preauth (context=context@entry=0x555555594810, ctx=ctx@entry=0x555555595710, in_padata=0x555555570bd0, must_preauth=must_preauth@entry=1, padata_out=0x555555595928, pa_type_out=pa_type_out@entry=0x5555555958e8) at ../../../../src/lib/krb5/krb/preauth2.c:1061 #4 0x00007ffff7f22397 in init_creds_step_request (out=0x7fffffffc8e0, ctx=0x555555595710, context=0x555555594810) at ../../../../src/lib/krb5/krb/get_in_tkt.c:1398 if (ctx->request->padata == NULL && ctx->method_padata != NULL) { /* Retrying after KDC_ERR_PREAUTH_REQUIRED, or trying again with a * different mechanism after a failure. */ TRACE_INIT_CREDS_PREAUTH(context); code = k5_preauth(context, ctx, ctx->method_padata, TRUE, &ctx->request->padata, &ctx->selected_preauth_type); if (code) { if (save.code != 0) code = k5_restore_ctx_error(context, &save); goto cleanup; } } #5 krb5_init_creds_step (flags=0x7fffffffc8d8, realm=0x7fffffffc900, out=0x7fffffffc8e0, in=<optimized out>, ctx=0x555555595710, context=0x555555594810) at ../../../../src/lib/krb5/krb/get_in_tkt.c:1767 code = init_creds_step_request(context, ctx, out); if (code != 0) goto cleanup; #6 krb5_init_creds_step (context=0x555555594810, ctx=0x555555595710, in=<optimized out>, out=0x7fffffffc8e0, realm=0x7fffffffc900, flags=0x7fffffffc8d8) at ../../../../src/lib/krb5/krb/get_in_tkt.c:1727 #7 0x00007ffff7f230b9 in k5_init_creds_get ( context=context@entry=0x555555594810, ctx=0x555555595710, use_master=use_master@entry=0x7fffffffca98) at ../../../../src/lib/krb5/krb/get_in_tkt.c:608 #8 0x00007ffff7f23214 in k5_get_init_creds ( context=context@entry=0x555555594810, creds=creds@entry=0x555555594cc0, client=client@entry=0x555555596a30, prompter=prompter@entry=0x0, prompter_data=prompter_data@entry=0x555555592d30, start_time=start_time@entry=0, in_tkt_service=0x0, options=0x555555594d40, gak_fct=0x7ffff7f24750 <krb5_get_as_key_password>, gak_data=0x7fffffffcb00, use_master=0x7fffffffca98, as_reply=0x7fffffffcaa0) at ../../../../src/lib/krb5/krb/get_in_tkt.c:1833 #9 0x00007ffff7f24d39 in krb5_get_init_creds_password ( context=0x555555594810, creds=0x555555594cc0, client=0x555555596a30, password=password@entry=0x0, prompter=prompter@entry=0x0, data=data@entry=0x555555592d30, start_time=0, in_tkt_service=0x0, options=0x555555594d40) at ../../../../src/lib/krb5/krb/gic_pwd.c:317 #3 0x00007ffff7f2fc9b in k5_preauth (context=context@entry=0x555555594810, ctx=ctx@entry=0x555555595710, in_padata=0x55555559b210, must_preauth=0, padata_out=padata_out@entry=0x7fffffffc800, pa_type_out=pa_type_out@entry=0x7fffffffc7f4) at ../../../../src/lib/krb5/krb/preauth2.c:1061 #4 0x00007ffff7f21cab in init_creds_step_reply (in=<optimized out>, ctx=0x555555595710, context=0x555555594810) at ../../../../src/lib/krb5/krb/get_in_tkt.c:1638 /* Process the final reply padata. Don't restrict the preauth types or * record a selected preauth type. */ ctx->allowed_preauth_type = KRB5_PADATA_NONE; code = k5_preauth(context, ctx, ctx->reply->padata, FALSE, &kdc_padata, &kdc_pa_type); if (code != 0) goto cleanup; #5 krb5_init_creds_step (flags=0x7fffffffc8d8, realm=0x7fffffffc900, out=0x7fffffffc8e0, in=<optimized out>, ctx=0x555555595710, context=0x555555594810) at ../../../../src/lib/krb5/krb/get_in_tkt.c:1752 if (in->length != 0) { code = init_creds_step_reply(context, ctx, in); if (code == KRB5KRB_ERR_RESPONSE_TOO_BIG) { code2 = krb5int_copy_data_contents(context, ctx->encoded_previous_request, out); #6 krb5_init_creds_step (context=0x555555594810, ctx=0x555555595710, in=<optimized out>, out=0x7fffffffc8e0, realm=0x7fffffffc900, flags=0x7fffffffc8d8) at ../../../../src/lib/krb5/krb/get_in_tkt.c:1727 #7 0x00007ffff7f230b9 in k5_init_creds_get ( context=context@entry=0x555555594810, ctx=0x555555595710, use_master=use_master@entry=0x7fffffffca98) at ../../../../src/lib/krb5/krb/get_in_tkt.c:608 #8 0x00007ffff7f23214 in k5_get_init_creds ( context=context@entry=0x555555594810, creds=creds@entry=0x555555594cc0, client=client@entry=0x555555596a30, prompter=prompter@entry=0x0, prompter_data=prompter_data@entry=0x555555592d30, start_time=start_time@entry=0, in_tkt_service=0x0, options=0x555555594d40, gak_fct=0x7ffff7f24750 <krb5_get_as_key_password>, gak_data=0x7fffffffcb00, use_master=0x7fffffffca98, as_reply=0x7fffffffcaa0) at ../../../../src/lib/krb5/krb/get_in_tkt.c:1833 #9 0x00007ffff7f24d39 in krb5_get_init_creds_password ( context=0x555555594810, creds=0x555555594cc0, client=0x555555596a30, password=password@entry=0x0, prompter=prompter@entry=0x0, data=data@entry=0x555555592d30, start_time=0, in_tkt_service=0x0, options=0x555555594d40) at ../../../../src/lib/krb5/krb/gic_pwd.c:317 It looks like it calls the responder at two different points during the entire preauth exchange? Note that this may soon be irrelevant to this particular code base since I'm probably going to switch back to a prompter. -- Russ Allbery (ea...@eyrie.org) <https://www.eyrie.org/~eagle/> ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos