bug in pkinit preauth plugin?
Will Fiveash
William.Fiveash at sun.com
Wed Oct 28 19:06:47 EDT 2009
I notice that if "pkinit_identities = PKCS11:" is set in krb5.conf the
pkint preauth plugin will prompt the user for a PIN even if the user has
no certs in their token (I was testing using Solaris pkcs11_softtoken).
I think the bug is here in
src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:pkinit_open_session():
/* Login if needed */
if (tinfo.flags & CKF_LOGIN_REQUIRED)
r = pkinit_login(context, cctx, &tinfo);
Given that certs are normally public objects in a token and should not
require login to view I think the pkinit plugin should, by default,
search for appropriate public certs and if there are none return failure
without prompting the user for a PIN. If support for private certs is
necessary then perhaps there should be a new config parameter that would
cause pkinit to always prompt. Thoughts?
--
Will Fiveash
Sun Microsystems Inc.
http://opensolaris.org/os/project/kerberos/
Sent from mutt, a sweet ASCII MUA
More information about the krbdev
mailing list