pkinit preauth plugin issue

Sam Hartman hartmans at MIT.EDU
Wed Feb 10 15:06:14 EST 2010

>>>>> "Will" == Will Fiveash <William.Fiveash at> writes:

    Will> On Wed, Feb 10, 2010 at 12:15:54PM -0500, Sam Hartman wrote:
    >> As I indicated on the release team call yesterday, I strongly
    >> object to pkinit using gak_data as a pin for access to smart
    >> cards.  The reason is that confusing pins and passwords can be
    >> problematic and can lead to card lock outs.

    Will> Yes, that is why in my most recent e-mail in this thread I was
    Will> asking about extending the gic opts for the pkinit plugin to
    Will> allow a caller to set a PIN option.

    >> I think an API that took some slot identifier or token identifier
    >> and a pin and fed them to pkinit would be a great idea though.

    Will> The problem I'm dealing with is that pam_krb5 when configured
    Will> to use PKINIT may find PAM_AUTHTOK set and if that is the case
    Will> I was informed* that pam_krb5 should assume that is the PIN
    Will> and pass that to the pkinit preauth plugin.  
That sounds like a bad choice, but I understand your constraint.

    Will> pam_krb5 is not
    Will> aware of the pkinit config so it will not have slot or token
    Will> information (that information will be available to the pkinit
    Will> plugin via krb5.conf).  Perhaps token and slot information
    Will> could also be pkinit gic opts?

The API should probbaly take both a PIN and some sort of identification
information.  If the identification information is NULL then the PIN
will just be used.  If the identification information is present, then
the pin should only be used if the identification information matches.


More information about the krbdev mailing list