pkinit updates
Douglas E. Engert
deengert at anl.gov
Tue Dec 19 10:11:22 EST 2006
Jeffrey Hutzelman wrote:
>
>>> But what's the principal?
>>>
>>> It's the one the user gave on the kinit command line, and passed down
>>> through init_creds. Or PAM equivalent. Are you suggesting we should
>>> try to guess the principal and realm when it hasn't been specified?
>>> How?
>>
>>
>> One does not tell PAM what one's principal is
>
>
> That depends on one's PAM module. But currently, if one's PAM module
> does not provide a way to specify the principal, then it must infer it
> from PAM_USER.
Is now the time to get Russ to add a prompt for principal to his
pam? Its someting that has ben missing for years.
> The same goes for kinit. If a smartcard or token is in
> use, it might be interesting to enumerate the credentials on the card
> that might be appropriate for PKINIT and use one, especially if you
> could examine the corresponding principal names and do the authorization
> checks in advance, so the user doesn't have to pick the "right"
> principal. But the Kerberos API currently provides no way to do this,
> so an application that wants to do so must be PKCS11-aware.
Well, the prompter can do this, and that is part of the API,
So the preauth could use the prompter, evne through kinit
or pam.
>
>
> -- Jeff
>
>
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the krbdev
mailing list