Greg Hudson <ghud...@mit.edu> writes: > Yes. For this prompter call, name is NULL, banner is the formatted > expiration warning, and num_prompts is 0.
Thanks! > Ah, two responder calls, not two prompter calls. I was looking at the > wrong code paths. Oh, sorry, poor bug report on my part. > Now that I look a the PKINIT responder logic, I agree that there is a > bug. In the second call to k5_preauth(), we are processing the KDC > PKINIT padata supplied alongside the issued ticket, in order to > authenticate the KDC response and set the correct reply key. PKINIT > does not need access to client certificates at this stage, but > pkinit_client_prep_questions() re-asks questions for its recorded > identities without checking the padata type or any other state that > would indicate where it is in the process. I will file a ticket. Thanks! > (The real reason kinit isn't affected is that it doesn't use a responder > callback.) Yes, that makes perfect sense in retrospect. I should have started with gdb before speculating. -- Russ Allbery (ea...@eyrie.org) <https://www.eyrie.org/~eagle/> ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos