pkinit preauth plugin issue

Will Fiveash William.Fiveash at
Wed Feb 10 16:36:28 EST 2010

On Wed, Feb 10, 2010 at 03:12:57PM -0500, Sam Hartman wrote:
> Ah, I see a bit of disconnect here.
> I'm asking for an API.  That's a bit tricky to do as the core library
> does not know about the pkinit plugin.
> What we have as a way to pass text strings to pkinit.
> I think what I'm asking for is a structured string that must include a
> PIN and may optionally include location information.

I'm thinking that could be done via krb5_get_init_creds_opt_set_pa() and
related functions below it.  pam_krb5 could call that and pass in a PIN
option that is a structured string as you describe that would have the
PIN string and optionally location info.  The pkinit plugin would use
this option if set instead of prompting for a PIN.  Does that sound like
a reasonable modification?

Will Fiveash
Sun Microsystems Inc.
Sent from mutt, a sweet ASCII MUA

More information about the krbdev mailing list