bug in pkinit preauth plugin?

Will Fiveash William.Fiveash at sun.com
Wed Oct 28 19:06:47 EDT 2009

I notice that if "pkinit_identities = PKCS11:" is set in krb5.conf the
pkint preauth plugin will prompt the user for a PIN even if the user has
no certs in their token (I was testing using Solaris pkcs11_softtoken).
I think the bug is here in

    /* Login if needed */
    if (tinfo.flags & CKF_LOGIN_REQUIRED)
        r = pkinit_login(context, cctx, &tinfo);

Given that certs are normally public objects in a token and should not
require login to view I think the pkinit plugin should, by default,
search for appropriate public certs and if there are none return failure
without prompting the user for a PIN.  If support for private certs is
necessary then perhaps there should be a new config parameter that would
cause pkinit to always prompt.  Thoughts?

Will Fiveash
Sun Microsystems Inc.
Sent from mutt, a sweet ASCII MUA

More information about the krbdev mailing list