pkinit preauth plugin issue

Sam Hartman hartmans at MIT.EDU
Wed Feb 10 17:00:27 EST 2010

>>>>> "Will" == Will Fiveash <William.Fiveash at> writes:

    Will> On Wed, Feb 10, 2010 at 03:12:57PM -0500, Sam Hartman wrote:
    >> Ah, I see a bit of disconnect here.  I'm asking for an API.
    >> That's a bit tricky to do as the core library does not know about
    >> the pkinit plugin.  What we have as a way to pass text strings to
    >> pkinit.
    >> I think what I'm asking for is a structured string that must
    >> include a PIN and may optionally include location information.

    Will> I'm thinking that could be done via
    Will> krb5_get_init_creds_opt_set_pa() and related functions below
    Will> it.  pam_krb5 could call that and pass in a PIN option that is
    Will> a structured string as you describe that would have the PIN
    Will> string and optionally location info.  The pkinit plugin would
    Will> use this option if set instead of prompting for a PIN.  Does
    Will> that sound like a reasonable modification?


More information about the krbdev mailing list