[Freeipa-devel] [PATCHES 0089-0093] Authentication Indicators
Nathaniel McCallum
npmccallum at redhat.com
Tue May 24 14:06:09 UTC 2016
On Tue, 2016-05-24 at 15:25 +0200, Sumit Bose wrote:
> ACK, on the client krb5_responder_list_questions() return both
> "password" and "otp" if the user is configured for both.
>
> Btw, what is the right way for a client to skip "otp" and only do
> "password" should something like krb5_responder_otp_set_answer(ctx,
> rctx, i, NULL, NULL); work ?
This is a good question. I raised the question with MIT.
My suspicion is that you will need to set both a prompter and responder
callback functions. The prompter function will always unconditionally
return an error code. The responder will look at all questions and
decide what to do. It will only answer the questions it wants to
answer.
In this case, I believe that preauth modules which have answered
questions will function normally. Those without valid answers will fall
back to the prompter. The prompter will return an error code. Thus, the
modules with unanswered questions will error out and not send preauth
data.
> I would prefer to keep the old way for now and discuss on the list if
> we
> should move to '#pragma once'. If we can get an agreement we can
> switch
> to '#pragma once' completely later.
I'll bring this up on a separate thread.
More information about the Freeipa-devel
mailing list