> Although, keep in mind that the GSS-API has no prompting in it. We've
> talked before about adding an API for acquiring "initial" credentials,
> complete with prompting support. Maybe it's time for that? But in any
> case, some OSes have managed to make the UI issues in the GSS-API
> completely hidden from the application (call gss_acquire_cred(), the
> user gets a dialog for their password/PIN/whatever if they didn't
> already have creds).
Well, we do have gss_acquire_cred_with_password() (same as Solaris). This will be supported for applications that want to do things that way.
I think I prefer to have the UI in another process and hidden from the application; we (or the EAP library) can get the necessary stuff via IPC. Otherwise we end up re-inventing PAM.
-- Luke
|