pkinit preauth plugin issue
Will Fiveash
William.Fiveash at sun.com
Tue Feb 9 17:26:02 EST 2010
On Mon, Feb 08, 2010 at 06:54:23PM -0600, Will Fiveash wrote:
> While doing more testing of pam_krb5 pkinit I noticed that the pkinit
> preauth plugin code does not use gak_data if it is set via:
>
> krb5_get_init_creds_password(
> kmd->kcontext,
> my_creds,
> me,
> *krb5_pass, /* clear text passwd */
> ^^^^^^^^^^ this is set
> NULL, /* prompter */
> NULL, /* prompter data */
> 0, /* start time */
> NULL, /* defaults to krbtgt at REALM */
> &opts);
>
> This is troublesome because I want pkinit to use the gak_data/password
> if set as the PIN/PEM password. I see that pkinit_client_process() has
> a gak_data input parameter but doesn't do anything with it.
>
> Note, if krb5_get_init_creds_password is called like so:
>
> krb5_get_init_creds_password(kmd->kcontext,
> my_creds,
> me,
> NULL, /* clear text passwd */
> pam_krb5_prompter, /* prompter */
> pamh, /* prompter data */
> 0, /* start time */
> NULL, /* defaults to krbtgt at REALM */
> &opts,
>
> then pkinit will use the pam_krb5_prompter() and acquire the PIN/PEM
> password and things function normally.
>
> Thoughts on whether it is reasonable for pkinit to pay attention to
> gak_data?
After bringing this up on the MITKC dev. call I understand that using
gak_data as a PIN for PKINIT purposes is not appropriate. What I'm
thinking about doing instead is adding support for a new field in the
pkinit_identity_opts struct that would allow the caller to set the PIN
(via pkinit_client_gic_opt()) and the pkinit plugin when needing the PIN
to access the private key would check to see if this is set and use it
instead of prompting for it. Does this sound reasonable?
--
Will Fiveash
Sun Microsystems Inc.
http://opensolaris.org/os/project/kerberos/
Sent from mutt, a sweet ASCII MUA
More information about the krbdev
mailing list