On 3/9/20 1:32 AM, Russ Allbery wrote: >> In MIT krb5 you can set an expire callback >> (krb5_get_init_creds_opt_set_expire_callback()); otherwise the prompter >> is used if present, whether or not a responder is provided. > > Oh! Okay, that makes sense. In this case, the prompter is called with > just a banner but no question?
Yes. For this prompter call, name is NULL, banner is the formatted expiration warning, and num_prompts is 0. > The relevant difference seems to be in frame 4 and frame 5. Source > embedded from the krb5-1.17-final tag. In both cases, k5_preauth then > calls the responder. Ah, two responder calls, not two prompter calls. I was looking at the wrong code paths. Now that I look a the PKINIT responder logic, I agree that there is a bug. In the second call to k5_preauth(), we are processing the KDC PKINIT padata supplied alongside the issued ticket, in order to authenticate the KDC response and set the correct reply key. PKINIT does not need access to client certificates at this stage, but pkinit_client_prep_questions() re-asks questions for its recorded identities without checking the padata type or any other state that would indicate where it is in the process. I will file a ticket. (The real reason kinit isn't affected is that it doesn't use a responder callback.) ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
