Conditional prompting with PKINIT preauth

Russ Allbery rra at
Mon May 27 14:44:07 EDT 2013

One of the PKINIT-related features of my Kerberos PAM module is
use_pkinit, which is defined as only accepting a PKINIT authentication.
Currently, this configuration is only supported with Heimdal because I
can't see a way to do this with MIT Kerberos.  Am I missing something?

Heimdal supports setting a separate prompter only for PKINIT
authentication using the krb5_get_init_creds_opt_set_pkinit API, so I
implement this for Heimdal by setting the normal PAM prompter for PKINIT
and then setting no prompter in krb5_get_init_creds_password, which
disables the fallback to a password prompt.  MIT Kerberos, on the other
hand, appears to only support one prompter function, which means that I
can't do this.  I have to pass in a prompter function for PKINIT prompts
(for a PIN, for instance), and then the Kerberos library falls back to
password-based preauth if PKINIT fails.

Related, try_pkinit, which is defined to have that behavior, still behaves
less than ideally with MIT Kerberos.  When it falls back to password
authentication, that fallback is handled internally by the Kerberos
library, which means that the PAM module has no (sane) way of intercepting
the password and storing it in the PAM stack for subsequent modules.  With
Heimdal, since I can attempt just a PKINIT authentication with no password
fallback separately, I can then pre-prompt for the password and store it
in the PAM stack before invoking krb5_get_init_creds_password again.

Am I missing some capability that would let me do what I want?  And, if
not, could one be added?  Either providing, like Heimdal, a way to set a
separate prompter for PKINIT or providing a way to disable all preauth
mechanisms other than PKINIT would be sufficient I think.

Russ Allbery (rra at             <>

More information about the Kerberos mailing list