pkinit preauth plugin issue
hartmans at MIT.EDU
Wed Feb 10 15:06:14 EST 2010
>>>>> "Will" == Will Fiveash <William.Fiveash at sun.com> writes:
Will> On Wed, Feb 10, 2010 at 12:15:54PM -0500, Sam Hartman wrote:
>> As I indicated on the release team call yesterday, I strongly
>> object to pkinit using gak_data as a pin for access to smart
>> cards. The reason is that confusing pins and passwords can be
>> problematic and can lead to card lock outs.
Will> Yes, that is why in my most recent e-mail in this thread I was
Will> asking about extending the gic opts for the pkinit plugin to
Will> allow a caller to set a PIN option.
>> I think an API that took some slot identifier or token identifier
>> and a pin and fed them to pkinit would be a great idea though.
Will> The problem I'm dealing with is that pam_krb5 when configured
Will> to use PKINIT may find PAM_AUTHTOK set and if that is the case
Will> I was informed* that pam_krb5 should assume that is the PIN
Will> and pass that to the pkinit preauth plugin.
That sounds like a bad choice, but I understand your constraint.
Will> pam_krb5 is not
Will> aware of the pkinit config so it will not have slot or token
Will> information (that information will be available to the pkinit
Will> plugin via krb5.conf). Perhaps token and slot information
Will> could also be pkinit gic opts?
The API should probbaly take both a PIN and some sort of identification
information. If the identification information is NULL then the PIN
will just be used. If the identification information is present, then
the pin should only be used if the identification information matches.
More information about the krbdev