On Tue, 2016-05-24 at 15:25 +0200, Sumit Bose wrote:
> ACK, on the client krb5_responder_list_questions() return both
> "password" and "otp" if the user is configured for both.
> 
> Btw, what is the right way for a client to skip "otp" and only do
> "password" should something like krb5_responder_otp_set_answer(ctx,
> rctx, i, NULL, NULL); work ?

This is a good question. I raised the question with MIT.

My suspicion is that you will need to set both a prompter and responder
callback functions. The prompter function will always unconditionally
return an error code. The responder will look at all questions and
decide what to do. It will only answer the questions it wants to
answer.

In this case, I believe that preauth modules which have answered
questions will function normally. Those without valid answers will fall
back to the prompter. The prompter will return an error code. Thus, the
modules with unanswered questions will error out and not send preauth
data.

> I would prefer to keep the old way for now and discuss on the list if
> we
> should move to '#pragma once'. If we can get an agreement we can
> switch
> to '#pragma once' completely later.

I'll bring this up on a separate thread.

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to