pkinit updates

Douglas E. Engert deengert at
Wed Dec 20 09:27:00 EST 2006

Russ Allbery wrote:

> Douglas E Engert <deengert at> writes:
>>Jeffrey Hutzelman wrote:
>>>That depends on one's PAM module.  But currently, if one's PAM module 
>>>does not provide a way to specify the principal, then it must infer it 
>>>from PAM_USER. 
>>Is now the time to get Russ to add a prompt for principal to his
>>pam? Its someting that has ben missing for years.
> I can certainly add that as an option if anyone wants it.  I'm guessing
> that one wouldn't want to prompt by default, and I'd need some help
> understanding the desired semantics and use case.

Yes, this should be optional. Maybe a argv option like ask_princ

We still use a pam_krb5 module based on Frank Cusack's version from a few
years ago on some systems, see below, but want to use the vendor's version
if possible. We added a prompt for principal, which comes after the user
and password prompts, with a prompt "different Kerberos principal or blank"
So in most cases, the user would just hit enter.

The rational is that at login at the console or via ssh, the user has
no way to specify the local unix username and the principal if they
are different. (Using ssh -l and gss the user can specify both but thats
not pam.)

This is not a PKINIT specific problem, but has come up again with
PKINIT as there may be no SAN in the cert to use or it may not
match the principal name to be used and this may not match the local
username to derive the principal.

I believe a CAC card has a SAN like 123456789 at mil, and a PIV
will have a SAN with a FASC-N which will be a large number assigned
by the federal agency issuing the card.

So a change like this gives the added flexibility to specify both
a username and principal. When the principal is <username>@<default_realm>
the user only needs to hit return.

    137      /* Get principal name */
    138      if (askprinc) {
    139          /*
    140           *  Prompt user again for the principal.
    141           *  if blank, then use the name as is
    142           */
    143          if (pamret = get_user_info(pamh,
    144                  "different Kerberos principal or blank",
    145                    PAM_PROMPT_ECHO_ON, &princ_name)) {
    146              if (pamret != PAM_AUTH_ERR) { /* user entered null */
    147                  DLOG("get_user_info()", pam_strerror(pamh, pamret));
    148                  pamret = PAM_SERVICE_ERR;
    149                  goto cleanup2;
    150              }
    151          }
    152      }

P.S. I am on vacation this week, so am responding sporadically.

  Douglas E. Engert  <DEEngert at>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the krbdev mailing list