pkinit preauth plugin issue
William.Fiveash at sun.com
Wed Feb 10 16:36:28 EST 2010
On Wed, Feb 10, 2010 at 03:12:57PM -0500, Sam Hartman wrote:
> Ah, I see a bit of disconnect here.
> I'm asking for an API. That's a bit tricky to do as the core library
> does not know about the pkinit plugin.
> What we have as a way to pass text strings to pkinit.
> I think what I'm asking for is a structured string that must include a
> PIN and may optionally include location information.
I'm thinking that could be done via krb5_get_init_creds_opt_set_pa() and
related functions below it. pam_krb5 could call that and pass in a PIN
option that is a structured string as you describe that would have the
PIN string and optionally location info. The pkinit plugin would use
this option if set instead of prompting for a PIN. Does that sound like
a reasonable modification?
Sun Microsystems Inc.
Sent from mutt, a sweet ASCII MUA
More information about the krbdev