On Tue, 2016-05-24 at 15:25 +0200, Sumit Bose wrote: > ACK, on the client krb5_responder_list_questions() return both > "password" and "otp" if the user is configured for both. > > Btw, what is the right way for a client to skip "otp" and only do > "password" should something like krb5_responder_otp_set_answer(ctx, > rctx, i, NULL, NULL); work ?
This is a good question. I raised the question with MIT. My suspicion is that you will need to set both a prompter and responder callback functions. The prompter function will always unconditionally return an error code. The responder will look at all questions and decide what to do. It will only answer the questions it wants to answer. In this case, I believe that preauth modules which have answered questions will function normally. Those without valid answers will fall back to the prompter. The prompter will return an error code. Thus, the modules with unanswered questions will error out and not send preauth data. > I would prefer to keep the old way for now and discuss on the list if > we > should move to '#pragma once'. If we can get an agreement we can > switch > to '#pragma once' completely later. I'll bring this up on a separate thread. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code