jhutz at cmu.edu
Tue Dec 19 17:42:43 EST 2006
On Tuesday, December 19, 2006 04:13:23 PM -0600 Nicolas Williams
<Nicolas.Williams at sun.com> wrote:
> On Mon, Dec 18, 2006 at 07:38:46PM -0500, Jeffrey Hutzelman wrote:
>> How about looking for one with a certificate whose PKINIT SAN matches
>> the principal? I would certainly see that as useful for some
> Not generally good enough: what if multiple certs exist on the card that
> have PKINIT SANs?
You use the one whose SAN matches your principal name. If there is more
than one, you use the first one, or prompt the user. Of course, even that
only helps if the certs in question have PKINIT SAN's, and a lot of them
Really, there are two completely different sets of uses here.
(1) Using tools like kinit to obtain tickets
(2) Using tools like login to gain access to a machine.
In case (1), you cannot assume that the workstation administrator knows
anything about selecting the correct credentials. Since the Kerberos
library may be invoked in case (1), it can't make any assumptions either.
In particular, credential selection cannot be based entirely on
preconfiguration, because the person configuring your workstation doesn't
know anything about my token or realm. On the other hand, the UI can be
rich enough to allow the user to specify odd things like a slot number or
label name without requiring them to do so in every case.
In case (2), you can probably assume that the workstation administrator
knows something about what is going on. He knows how the workstation is
configured, what devices are present (to some extent), and he knows what
kind of cards or tokens his users have and how they are configured (though
he may not have any control over that). So the workstation admin may be
able to usefully specify use of a particular slot, or of the cert with a
particular label or SAN or DN. Depending on the deployment, he may even be
able to specify enough that you can get the behavior Love described - user
walks up to his machine, inserts his smartcard, types his PIN, and gets
logged in without ever giving a username.
What the Kerberos library needs to do is make few enough hard assumptions
that (1) is possible for arbitrary realms where the local admin has no
prior knowledge of the "right thing", while also providing an interface
rich enough that an application or PAM module can do (2), possibly in a
highly site-dependent way.
More information about the krbdev