pkinit preauth plugin issue
Will Fiveash
William.Fiveash at sun.com
Mon Feb 8 19:54:23 EST 2010
While doing more testing of pam_krb5 pkinit I noticed that the pkinit
preauth plugin code does not use gak_data if it is set via:
krb5_get_init_creds_password(
kmd->kcontext,
my_creds,
me,
*krb5_pass, /* clear text passwd */
^^^^^^^^^^ this is set
NULL, /* prompter */
NULL, /* prompter data */
0, /* start time */
NULL, /* defaults to krbtgt at REALM */
&opts);
This is troublesome because I want pkinit to use the gak_data/password
if set as the PIN/PEM password. I see that pkinit_client_process() has
a gak_data input parameter but doesn't do anything with it.
Note, if krb5_get_init_creds_password is called like so:
krb5_get_init_creds_password(kmd->kcontext,
my_creds,
me,
NULL, /* clear text passwd */
pam_krb5_prompter, /* prompter */
pamh, /* prompter data */
0, /* start time */
NULL, /* defaults to krbtgt at REALM */
&opts,
then pkinit will use the pam_krb5_prompter() and acquire the PIN/PEM
password and things function normally.
Thoughts on whether it is reasonable for pkinit to pay attention to
gak_data?
--
Will Fiveash
Sun Microsystems Inc.
http://opensolaris.org/os/project/kerberos/
Sent from mutt, a sweet ASCII MUA
More information about the krbdev
mailing list