pkinit preauth plugin issue

Will Fiveash William.Fiveash at
Wed Feb 10 14:51:36 EST 2010

On Wed, Feb 10, 2010 at 12:15:54PM -0500, Sam Hartman wrote:
> As I indicated on the release team call yesterday, I strongly object to
> pkinit using gak_data as a pin for access to smart cards.  The reason is
> that confusing pins and passwords can be problematic and can lead to
> card lock outs.

Yes, that is why in my most recent e-mail in this thread I was asking
about extending the gic opts for the pkinit plugin to allow a caller to
set a PIN option.

> I think an API that took some slot identifier or token identifier and a
> pin and fed them to pkinit would be a great idea though.

The problem I'm dealing with is that pam_krb5 when configured to use
PKINIT may find PAM_AUTHTOK set and if that is the case I was informed*
that pam_krb5 should assume that is the PIN and pass that to the pkinit
preauth plugin.  pam_krb5 is not aware of the pkinit config so it will
not have slot or token information (that information will be available
to the pkinit plugin via krb5.conf).  Perhaps token and slot information
could also be pkinit gic opts?

* In the design review held on kerberos-discuss at (also
viewable via Subject:
PSARC/2009/576 final spec).

Will Fiveash
Sun Microsystems Inc.
Sent from mutt, a sweet ASCII MUA

More information about the krbdev mailing list