On Fri, Sep 24, 2010 at 01:57:46AM +0200, Luke Howard wrote:
> > Although, keep in mind that the GSS-API has no prompting in it. We've
> > talked before about adding an API for acquiring "initial" credentials,
> > complete with prompting support. Maybe it's time for that? But in any
> > case, some OSes have managed to make the UI issues in the GSS-API
> > completely hidden from the application (call gss_acquire_cred(), the
> > user gets a dialog for their password/PIN/whatever if they didn't
> > already have creds).
>
> Well, we do have gss_acquire_cred_with_password() (same as Solaris).
> This will be supported for applications that want to do things that
> way.
Yes, that'll likely work well enough for GSS-EAP.
> I think I prefer to have the UI in another process and hidden from the
> application; we (or the EAP library) can get the necessary stuff via
> IPC. Otherwise we end up re-inventing PAM.
If you do go down that route, do keep in mind that PAM is a good
anti-pattern for how to do prompting APIs...
|