Skip Menu |
 

Subject: NIM password prompt does not identify itself
NIM from either MIT KfW Beta 2 or from secure-
endpoints.com/binaries/mit-kfw-3-2-0/kfw-3-2-0.msi.

Vista or XP.


The NIM password prompt dialog does not identify itself as Network
Identity Manager or as having to do with Kerberos. Users don’t have
any way of knowing if they should type their password into this dialog
or not.

The dialog should identify itself.
Download (untitled) / with headers
text/plain 1.5KiB
The obtain new credentials dialog is identified as a NIM dialog by the
icon.

The title bar is given the text "Obtain New Credentials" when there is
no user/realm specified or "user@REALM - New Credentials" when one has been.

The UI issues are as follows:
(1) there is very limited space on the title bar in the "basic" view.
Perhaps a total of 60 characters if you fill the entire bar. (This is
dependent on the user's choice of typeface.) Adding "Network Identity
Manager - " to the title bar will eat up a third of that space.

(2) When the user switches to Advanced view, the user/realm is not
visible except when the user is viewing the "General" tab. We consider
it important that the selected principal name be visible to the user
when viewing the other advanced configuration tabs.

(3) There should be consistency when the user switches back and forth
between "basic" and "advanced" views. The title bar should not change.

One way that this could be handled would be to add a status bar to the
"advanced" view that displays the selected identity. That would free up
the title bar so that it would become "Network Identity Manager - Obtain
New Credentials" as a static string. However, I should point out that
in the NIM 2.0 user interface proposal(*) we have already addressed this
concern as the selected identity is always visible to the user. In NIM
2.0, the title bar text is always static and as such can read "Network
Identity Manager - Obtain New Credentials".

Jeffrey Altman


(*)
http://www.secure-endpoints.com/netidmgr/proposal-nim-multiple-id-nc-ux.pdf
Download (untitled) / with headers
text/plain 4.8KiB
This patch solves the titlebar problem by putting the explanatory
prompt in the dialog. It uses two registry settings:

PluginManager/NameSpaceName: The word 'Kerberos' which is prepended
to the Username input label.

PluginManager/NewCredPromptText: 'Enter your Kerberos password.'

Either registry entry can be omitted.

This patch embeds knowledge of the New Cedentials dialog in the krb5
plugin, which is not a valid long term solution. Why? The patch or
something like it needs to be included in KfW 3.2.2 before midweek.


C:\KfW\pismere\athena\auth\krb5\src\windows\identity>svn diff
plugins\krb5\krb5identpro.c
Index: plugins/krb5/krb5identpro.c
===================================================================
--- plugins/krb5/krb5identpro.c (revision 19911)
+++ plugins/krb5/krb5identpro.c (working copy)
@@ -31,7 +31,11 @@
#include<strsafe.h>
#include<krb5.h>
#include<assert.h>
+#include <string.h>

+#include <memory.h>
+#include <wchar.h>
+
#define K5_NCID_UN_LABEL (KHUI_CW_ID_MIN + 0)
#define K5_NCID_UN (KHUI_CW_ID_MIN + 1)
#define K5_NCID_REALM_LABEL (KHUI_CW_ID_MIN + 2)
@@ -49,6 +53,8 @@
HWND hw_realm;
} k5_new_cred_data;

+#define IDC_ENTUNAME 1145 /* Hack! */
+
static
void
trim_str(wchar_t * s, khm_size cch) {
@@ -397,6 +403,7 @@
return FALSE;
}

+
/* UI Callback

runs in UI thread */
@@ -427,6 +434,12 @@
khm_int32 rv;
khm_handle hident;

+ khm_handle csp_pm = NULL;
+ wchar_t namespace[KCONF_MAXCCH_NAME];
+ khm_size cbsize;
+ wchar_t promptText[KCONF_MAXCCH_NAME];
+ HWND hw_prompt;
+
hw_parent = (HWND) lParam;
defident[0] = L'\0';

@@ -435,6 +448,16 @@
assert(hw_parent != NULL);
#endif

+ if (!KHM_FAILED(khc_open_space(NULL, L"PluginManager",
KHM_PERM_READ, &csp_pm))) {
+ ZeroMemory(namespace, sizeof(namespace) * sizeof
(wchar_t));
+ ZeroMemory(promptText, sizeof(promptText) * sizeof
(wchar_t));
+ cbsize = sizeof(namespace);
+ khc_read_string(csp_pm, L"NameSpaceName", namespace,
&cbsize);
+ cbsize = sizeof(promptText);
+ khc_read_string(csp_pm, L"NewCredPromptText",
promptText, &cbsize);
+ khc_close_space(csp_pm);
+ }
+
d = PMALLOC(sizeof(*d));
assert(d);
ZeroMemory(d, sizeof(*d));
@@ -446,10 +469,17 @@
LoadString(hResModule, IDS_NC_USERNAME,
wbuf, ARRAYLENGTH(wbuf));

+ /* Find and set IDC_ENTUNAME: */
+ hw_prompt = GetDlgItem(hw_parent, IDC_ENTUNAME);
+ if (hw_prompt) SendMessage(hw_prompt, WM_SETTEXT, 0,
(LPARAM)promptText);
+
+ /* Build up username prompt from NameSpaceName and
Username: */
+ wcsncat(namespace, wbuf, KCONF_MAXCCH_NAME);
+
d->hw_username_label = CreateWindow
(L"STATIC",
- wbuf,
- SS_SIMPLE | WS_CHILD | WS_VISIBLE,
+ namespace,
+ WS_CHILD | WS_VISIBLE,
0, 0, 100, 100, /* bogus values */
hw_parent,
(HMENU) K5_NCID_UN_LABEL,
@@ -713,6 +743,7 @@
WM_SETTEXT,
0,
(LPARAM) defident);
+
}

set_identity_from_ui(nc, d);


C:\KfW\pismere\athena\auth\krb5\src\windows\identity>svn diff
ui/resource.h
Index: ui/resource.h
===================================================================
--- ui/resource.h (revision 19911)
+++ ui/resource.h (working copy)
@@ -1,6 +1,6 @@
//{{NO_DEPENDENCIES}}
// Microsoft Visual C++ generated include file.
-// Used by C:\work\pismere\athena\auth\krb5
\src\windows\identity\ui\lang\en_us\khapp.rc
+// Used by C:\KfW\pismere\athena\auth\krb5
\src\windows\identity\ui\lang\en_us\khapp.rc
//
#define IDI_MAIN_APP 104
#define IDD_PP_CRED 106
@@ -397,6 +397,7 @@
#define IDC_CFG_NOTACT_STATIC 1142
#define IDC_NC_BASIC 1143
#define IDC_CONTENT 1144
+#define IDC_ENTUNAME 1145
#define IDA_ACTIVATE_MENU 40003
#define IDA_UP 40004
#define IDA_DOWN 40005
@@ -411,7 +412,7 @@
#ifndef APSTUDIO_READONLY_SYMBOLS
#define _APS_NEXT_RESOURCE_VALUE 214
#define _APS_NEXT_COMMAND_VALUE 40010
-#define _APS_NEXT_CONTROL_VALUE 1145
+#define _APS_NEXT_CONTROL_VALUE 1146
#define _APS_NEXT_SYMED_VALUE 101
#endif
#endif

khapp.rc was editted with Visual Studio so the line wraps are
different. A prompt line was added to the new credentials dialog and
the BBAR OK button was made the same height as the other buttons. svn
diff crashes.
Date: Mon, 24 Sep 2007 15:12:25 -0400
From: Jeffrey Altman <jaltman@secure-endpoints.com>
To: rt@krbdev.mit.edu
Subject: Re: [krbdev.mit.edu #5610] NIM password prompt does not identify itself
RT-Send-Cc:
Kevin Koch via RT wrote:

Show quoted text
> This patch embeds knowledge of the New Credentials dialog in the krb5
> plugin, which is not a valid long term solution. Why?

Are you asking for an explanation of why violating the abstraction
layer between the application and the identity / credentials providers
is a bad idea?

Show quoted text
> khapp.rc was editted with Visual Studio so the line wraps are
> different. A prompt line was added to the new credentials dialog and
> the BBAR OK button was made the same height as the other buttons. svn
> diff crashes.

I can't apply the patch and test it if I don't know what the contents of
the khapp.rc file are.

Also, if svn diff is crashing it is likely that the patch can't be
computed in order to perform the commit. You should figure out what
is broken. Asanka edits the RC files with Visual Studio as well and
doesn't have problems with svn crashing.

Be sure not to use the svn from CygWin. It will only cause you
problems. The most recent svn build is:

svn, version 1.4.5 (r25188)
compiled Aug 22 2007, 20:49:04

Jeffrey Altman
Download smime.p7s
application/x-pkcs7-signature 3.2KiB

Message body not shown because it is not plain text.

Download (untitled) / with headers
text/plain 2.1KiB
Show quoted text
> This patch solves the titlebar problem by putting the explanatory
> prompt in the dialog. It uses two registry settings:
>
> PluginManager/NameSpaceName: The word 'Kerberos' which is prepended
> to the Username input label.
>
> PluginManager/NewCredPromptText: 'Enter your Kerberos password.'
>
> Either registry entry can be omitted.

Since these settings are specific to the Kerberos 5 plug-in, they should
go under PluginManager/Plugins/Krb5Cred/Parameters . Note that both
Krb5Ident and Krb5Cred plug-ins share the same configuration space since
they use the same configuration settings.

Show quoted text
> plugins\krb5\krb5identpro.c
> Index: plugins/krb5/krb5identpro.c
> ===================================================================
...
Show quoted text
> @@ -446,10 +469,17 @@
> LoadString(hResModule, IDS_NC_USERNAME,
> wbuf, ARRAYLENGTH(wbuf));
>
> + /* Find and set IDC_ENTUNAME: */
> + hw_prompt = GetDlgItem(hw_parent, IDC_ENTUNAME);
> + if (hw_prompt) SendMessage(hw_prompt, WM_SETTEXT, 0,
> (LPARAM)promptText);
...

The labels used for password prompting are provided by the Kerberos 5
plug-in. If you want to change the text of these labels, you should do
so at k5_kinit_prompter() and k5_cached_kinit_prompter() in
krb5newcreds.c before the label text is provided to NIM.

Doing it this way can cause problems for a few reasons. The control IDs
for controls in the new credentials dialog can change. Also, the
plug-in doesn't always know that what it's prompting for is a password,
which is why we use the prompt string provided by the KDC.

If the registry settings are optional, you should check for their
existence before using their values. The code seems to assume they
always exist.

Show quoted text
> khapp.rc was editted with Visual Studio so the line wraps are
> different. A prompt line was added to the new credentials dialog and
> the BBAR OK button was made the same height as the other buttons. svn
> diff crashes.

I sometimes use Visual Studio for editing the .rc files as well. You'll
have to use something else to fix line endings after saving the files
with VS.

- Asanka Herath
Secure-Endpoints Inc.
Download (untitled) / with headers
text/plain 4.7KiB
The why? was why do it the wrong way. The reason is that I don't have
another day to spend on it right now. As with the hack that fixed the
UI update symptom in 3.2.1, this is obviously the wrong way to do it
and needs to be redone correctly.

Tomorrow I'll post a different patch for krb5identpro.c that
incorporates Asanka's comment.

After undoing Visual Studio's line wrapping and re-reading svn diff --
help, here is the last patch:

C:\KfW\pismere\athena\auth\krb5\src\windows\identity>svn diff -x --
ignore-eol-style ui\lang\en_us\khapp.rc
Index: ui/lang/en_us/khapp.rc
===================================================================
--- ui/lang/en_us/khapp.rc (revision 19970)
+++ ui/lang/en_us/khapp.rc (working copy)
@@ -160,34 +160,35 @@
// Dialog
//

-IDD_NC_NEWCRED DIALOGEX 0, 0, 301, 167
+IDD_NC_NEWCRED DIALOGEX 0, 0, 301, 165
STYLE DS_SETFONT | DS_FIXEDSYS | DS_CONTROL | WS_CHILD
EXSTYLE WS_EX_CONTROLPARENT
FONT 8, "MS Shell Dlg", 400, 0, 0x1
BEGIN
- LTEXT "UI Row2",IDC_NC_TPL_ROW_LG,7,31,287,18,NOT
WS_VISIBLE | WS_BORDER
- LTEXT "TplPanel",IDC_NC_TPL_PANEL,7,7,287,153,NOT
WS_VISIBLE | WS_BORDER
- LTEXT "UI Row",IDC_NC_TPL_ROW,7,7,287,18,NOT WS_VISIBLE
| WS_BORDER
- LTEXT "TplLabel",IDC_NC_TPL_LABEL,7,8,45,10,NOT
WS_VISIBLE | WS_BORDER
- LTEXT "TplInput",IDC_NC_TPL_INPUT,54,7,240,13,NOT
WS_VISIBLE | WS_BORDER
- LTEXT "TplLabelLg",IDC_NC_TPL_LABEL_LG,7,33,146,10,NOT
WS_VISIBLE | WS_BORDER
-
LTEXT "TplInputLg",IDC_NC_TPL_INPUT_LG,155,31,139,13,NOT
WS_VISIBLE | WS_BORDER
-
LTEXT "&Credentials",IDC_NC_CREDTEXT_LABEL,7,66,41,10,NOT
WS_VISIBLE | NOT WS_GROUP
- CONTROL "",IDC_NC_CREDTEXT,"KhmHtWnd",NOT WS_VISIBLE |
WS_TABSTOP,54,65,240,95,WS_EX_CLIENTEDGE
- PUSHBUTTON "&Ok",IDOK,101,142,89,18,WS_DISABLED
- PUSHBUTTON "&Cancel",IDCANCEL,198,142,54,18
- PUSHBUTTON "&>>",IDC_NC_ADVANCED,260,142,34,18
+ LTEXT "UI Row2",IDC_NC_TPL_ROW_LG,7,52,287,19,NOT
WS_VISIBLE | WS_BORDER
+ LTEXT "TplPanel",IDC_NC_TPL_PANEL,7,27,287,131,NOT
WS_VISIBLE | WS_BORDER
+ LTEXT "",IDC_NC_TPL_ROW,7,29,287,21,NOT WS_VISIBLE |
WS_BORDER
+ LTEXT "TplLabel",IDC_NC_TPL_LABEL,7,29,45,21,NOT
WS_VISIBLE | WS_BORDER
+ LTEXT "TplInput",IDC_NC_TPL_INPUT,54,31,240,13,NOT
WS_VISIBLE | WS_BORDER
+ LTEXT "TplLabelLg",IDC_NC_TPL_LABEL_LG,7,54,146,10,NOT
WS_VISIBLE | WS_BORDER
+
LTEXT "TplInputLg",IDC_NC_TPL_INPUT_LG,155,52,139,13,NOT
WS_VISIBLE | WS_BORDER
+
LTEXT "&Credentials",IDC_NC_CREDTEXT_LABEL,7,71,41,10,NOT
WS_VISIBLE | NOT WS_GROUP
+ CONTROL "",IDC_NC_CREDTEXT,"KhmHtWnd",NOT WS_VISIBLE |
WS_TABSTOP,54,63,240,95,WS_EX_CLIENTEDGE
+ PUSHBUTTON "&Ok",IDOK,101,140,89,18,WS_DISABLED
+ PUSHBUTTON "&Cancel",IDCANCEL,198,140,54,18
+ PUSHBUTTON "&>>",IDC_NC_ADVANCED,260,140,34,18
+ LTEXT "Enter your Kerberos
password",IDC_ENTUNAME,7,7,287,20
END

-IDD_NC_BBAR DIALOGEX 0, 0, 66, 190
+IDD_NC_BBAR DIALOGEX 0, 0, 66, 215
STYLE DS_SETFONT | DS_FIXEDSYS | DS_CONTROL | WS_CHILD | WS_SYSMENU
EXSTYLE WS_EX_CONTROLPARENT
FONT 8, "MS Shell Dlg", 400, 0, 0x1
BEGIN
- DEFPUSHBUTTON "&Ok",IDOK,7,7,52,41,WS_DISABLED
- PUSHBUTTON "&Cancel",IDCANCEL,7,58,52,19
- PUSHBUTTON "<<",IDC_NC_BASIC,7,144,52,14
- PUSHBUTTON "&Help",IDC_NC_HELP,7,164,52,19
+ DEFPUSHBUTTON "&Ok",IDOK,7,28,52,19,WS_DISABLED
+ PUSHBUTTON "&Cancel",IDCANCEL,7,53,52,19
+ PUSHBUTTON "&<<",IDC_NC_BASIC,7,163,52,19
+ PUSHBUTTON "&Help",IDC_NC_HELP,7,189,52,19
END

IDD_PP_IDENT DIALOGEX 0, 0, 235, 156
@@ -232,7 +233,8 @@
STYLE DS_SETFONT | DS_FIXEDSYS | WS_CHILD | WS_SYSMENU
FONT 8, "MS Shell Dlg", 400, 0, 0x1
BEGIN
- CTEXT "Please select one of the configuration
categories on the
left.",IDC_STATIC,21,17,212,18,SS_CENTERIMAGE,WS_EX_TRANSPARENT
+ CTEXT "Please select one of the configuration
categories on the left.",
+
IDC_STATIC,21,17,212,18,SS_CENTERIMAGE,WS_EX_TRANSPARENT
END

IDD_CFG_GENERAL DIALOGEX 0, 0, 255, 182
@@ -415,7 +417,7 @@
LEFTMARGIN, 7
RIGHTMARGIN, 294
TOPMARGIN, 7
- BOTTOMMARGIN, 160
+ BOTTOMMARGIN, 158
END

IDD_NC_BBAR, DIALOG
@@ -423,7 +425,7 @@
LEFTMARGIN, 7
RIGHTMARGIN, 59
TOPMARGIN, 7
- BOTTOMMARGIN, 183
+ BOTTOMMARGIN, 208
END

IDD_PP_IDENT, DIALOG
@@ -849,10 +851,5 @@
//
// Generated from the TEXTINCLUDE 3 resource.
//
-
-
-
///////////////////////////////////////////////////////////////////////
//////
+ /////////////////////////////////////////////////////////////////////
////////
#endif // not APSTUDIO_INVOKED
-
-
-
[asanka - Mon Sep 24 17:10:18 2007]:

Show quoted text
> Since these settings are specific to the Kerberos 5 plug-in, they
> should
> go under PluginManager/Plugins/Krb5Cred/Parameters . Note that both
> Krb5Ident and Krb5Cred plug-ins share the same configuration space
> since
> they use the same configuration settings.

Also please remember, whenever you add new registry values, they must be
added to the schema.
I have applied your patch and attached the output as rt5610-dialog.png.

The proportions of the dialog in both basic and advanced views have been
destroyed. The patch doesn't address basic issues associated with the
actual bounding box of the output string depending on the facename and
font size specified in the user's desktop theme.

From my viewpoint this patch is unacceptable.
Download rt5610-dialog.png
image/png 35.2KiB
rt5610-dialog.png
Download (untitled) / with headers
text/plain 3.9KiB
Thanks for the reminder about the csv file.

C:\KfW\pismere\athena\auth\krb5\src\windows\identity>svn diff -x --
ignore-eol-style plugins\krb5\krbconfig.csv
Index: plugins/krb5/krbconfig.csv
===================================================================
--- plugins/krb5/krbconfig.csv (revision 19911)
+++ plugins/krb5/krbconfig.csv (working copy)
@@ -25,6 +25,8 @@
LRURealms,KC_STRING,,
LRUPrincipals,KC_STRING,,
LastDefaultIdent,KC_STRING,,Last known default identity
+ NameSpaceName,KC_STRING,,The name of the service NIM presents to
the user. Typically 'Kerberos ' if given at all. Prepended
to 'Username' in the NewCreds
Username input label
+ NewCredPromptText,KC_STRING,,The prompt sentence at the top of
the New Creds dialog
PromptCacheLifetime,KC_INT32,172800,Lifetime of the prompt cache
in seconds
DefaultCCName,KC_STRING,,Default CC name (only per identity)
DefaultToFileCache,KC_INT32,0,"If no DefaultCCName is specified
for an identity, use a generated FILE: cache instead of an API: cache"


C:\KfW\pismere\athena\auth\krb5\src\windows\identity>svn diff -x --
ignore-eol-style plugins\krb5\krb5identpro.c
Index: plugins/krb5/krb5identpro.c
===================================================================
--- plugins/krb5/krb5identpro.c (revision 19911)
+++ plugins/krb5/krb5identpro.c (working copy)
@@ -31,6 +31,7 @@
#include<strsafe.h>
#include<krb5.h>
#include<assert.h>
+#include <string.h>

#define K5_NCID_UN_LABEL (KHUI_CW_ID_MIN + 0)
#define K5_NCID_UN (KHUI_CW_ID_MIN + 1)
@@ -49,6 +50,8 @@
HWND hw_realm;
} k5_new_cred_data;

+#define IDC_ENTUNAME 1145 /* Hack! */
+
static
void
trim_str(wchar_t * s, khm_size cch) {
@@ -397,6 +400,7 @@
return FALSE;
}

+
/* UI Callback

runs in UI thread */
@@ -427,6 +431,12 @@
khm_int32 rv;
khm_handle hident;

+ khm_handle csp_pm = NULL;
+ wchar_t namespace[KCONF_MAXCCH_NAME];
+ khm_size cbsize;
+ wchar_t promptText[KCONF_MAXCCH_NAME];
+ HWND hw_prompt;
+
hw_parent = (HWND) lParam;
defident[0] = L'\0';

@@ -435,6 +445,19 @@
assert(hw_parent != NULL);
#endif

+ ZeroMemory(namespace, sizeof(namespace) * sizeof
(wchar_t));
+ ZeroMemory(promptText, sizeof(promptText) * sizeof
(wchar_t));
+ if (!KHM_FAILED(khc_open_space(NULL,
L"PluginManager\\Plugins\\Krb5Cred\\Parameters",
+ KHM_PERM_READ, &csp_pm))) {
+ cbsize = sizeof(namespace);
+ khc_read_string(csp_pm, L"NameSpaceName", namespace,
&cbsize);
+
+ cbsize = sizeof(promptText);
+ khc_read_string(csp_pm, L"NewCredPromptText",
promptText, &cbsize);
+
+ khc_close_space(csp_pm);
+ }
+
d = PMALLOC(sizeof(*d));
assert(d);
ZeroMemory(d, sizeof(*d));
@@ -446,10 +469,17 @@
LoadString(hResModule, IDS_NC_USERNAME,
wbuf, ARRAYLENGTH(wbuf));

+ /* Find and set IDC_ENTUNAME: */
+ hw_prompt = GetDlgItem(hw_parent, IDC_ENTUNAME);
+ if (hw_prompt) SendMessage(hw_prompt, WM_SETTEXT, 0,
(LPARAM)promptText);
+
+ /* Build up username prompt from NameSpaceName and
Username: */
+ wcsncat(namespace, wbuf, KCONF_MAXCCH_NAME);
+
d->hw_username_label = CreateWindow
(L"STATIC",
- wbuf,
- SS_SIMPLE | WS_CHILD | WS_VISIBLE,
+ namespace,
+ WS_CHILD | WS_VISIBLE,
0, 0, 100, 100, /* bogus values */
hw_parent,
(HMENU) K5_NCID_UN_LABEL,
@@ -713,6 +743,7 @@
WM_SETTEXT,
0,
(LPARAM) defident);
+
}

set_identity_from_ui(nc, d);
You will see from the csv file (which has now been posted; thanks for
the reminder), that the NameSpaceName must have a trailing blank.
Then the label on the username input looks better.

MIT agrees that this patch needs to be replaced by a better one in the
fullness of time.
Date: Mon, 24 Sep 2007 23:34:38 -0400
From: Jeffrey Altman <jaltman@secure-endpoints.com>
To: rt@krbdev.mit.edu
Subject: Re: [krbdev.mit.edu #5610] NIM password prompt does not identify itself
RT-Send-Cc:
Kevin Koch via RT wrote:
Show quoted text
> You will see from the csv file (which has now been posted; thanks for
> the reminder), that the NameSpaceName must have a trailing blank.
> Then the label on the username input looks better.

Only if the width of the characters is equivalent to the string
"Kerberos".

The rest of the proportions of the dialog box are no longer consistent.

Show quoted text
> MIT agrees that this patch needs to be replaced by a better one in the
> fullness of time.

This isn't a fullness of time issue. You aren't taking into account all
of the issues associated with the change you are making. This change is
not ready for deployment.
Download smime.p7s
application/x-pkcs7-signature 3.2KiB

Message body not shown because it is not plain text.