logo_kerberos.gif

Projects/Password response item

From K5Wiki
< Projects
Revision as of 10:50, 12 October 2012 by Ghudson (talk | contribs) (Internal view)

Jump to: navigation, search
This is an early stage project for MIT Kerberos. It is being fleshed out by its proponents. Feel free to help flesh out the details of this project. After the project is ready, it will be presented for review and approval.


This project is a follow-on to Projects/Responder. For clpreauth modules, it specifies a way for preauth modules to get the AS key using either the supplied password or keytab, the responder, or the prompter as appropriate. For applications, it specifies a way to supply the password via the responder.

clpreauth module view

Some client preauth mechanisms, such as encrypted timestamp or encrypted challenge, need access to the client's long-term key in order to prove knowledge of it. These mechanisms are used most often with a password, but can also be used with a keytab. When a password is used, it may currently be obtained from the password parameter to krb5_get_init_creds_password or from the prompter. Although we would like the password to be obtained from the responder when appropriate, we cannot do so by having the clpreauth module directly ask for the password.

Instead, a clpreauth module's prep_questions method can indicate interest in the client long-term key with a new callback:

   void (*need_as_key)(krb5_context context, krb5_clpreauth_rock rock);

This informs libkrb5 that the module's process method will require the long-term key. The module uses the existing get_as_key callback to obtain the key in the process method.

Application view

An application can currently supply the password as a parameter to krb5_get_init_creds_password, or it can wait to be prompted for the password via the prompter. In addition to these options, we add a response item type whose name is "password", whose challenge is NULL, and whose answer is simply the password. Applications can refer to this response item name using the new constant KRB5_RESPONDER_QUESTION_PASSWORD.

Internal view

Passwords are currently obtained through the gak_fct parameter of krb5int_get_init_creds(). We amend this interface (which is non-public) in two ways:

  • A new argument is added to give the gak function access to the response items for the authentication.
  • A gak function can be called with a null as_key parameter in order to indicate a future interest in the AS key.

The gic_keytab gak function does nothing with the response items and performs no operations when a future interest in the AS key is indicated. The gic_pwd gak function adds the password question to the response items if a future interest in the AS key is indicated (unless the password is already available through the API), and retrieves the password from the response items when the AS key is requested.