Douglas E. Engert
deengert at anl.gov
Wed Dec 13 14:12:10 EST 2006
Nicolas Williams wrote:
> On Tue, Dec 12, 2006 at 04:35:34PM -0500, Jim Rees wrote:
>>I thought about allowing you to specify a token label, and I may do that if
>>I have time.
> Using token labels would allow users to establish token naming
> conventions that provide a reasonable default for PKINIT clients.
> This would be useful -- who wants to train users on how to use this -X
> option? And anyways, a PAM PKINIT-able module would need to be able to
> find the right token with minimal configuration and interaction.
I don't believe the user will even see the -X and options with a smartcard.
they are pretty much dictated by the admin and could be in the krb5.conf.
X509_user_identity= is the only one that chnages, but for a smartcard
it too is prety much fixed: PKCS11:module_name:slotno and could be in
krb5.conf or at least pam.conf
Even with file based credentials, I saw in a previous note that the Globus
user proxy cert and key names (/tmp/x509up_<xxx>) where being used in one
of the tests. The user proxy would normally be pointed at by X509_USER_PROXY,
(session based delegated credentials) and if no proxy was available
X509_USER_CERT and X509_USER_KEY would point at the user's long term
cert and key, or ~/.globus/usercert.pem, ~/.globus/userkey.pem would
by used as the last default.
So could the krb5.conf have some way to specify a list of
X509_user_identity= entries to try? Like PKCS11 first if there is a
reader, card, then a proxy, then default files in the home directory?
[pam_krb5_console] ( i.e. gdm, only use smartard)
[pam_krb5_globus_sshd] (i.e. Globus auth and delegation of proxy, get local krb5 creds)
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
More information about the krbdev