pkinit preauth plugin issue

Jeffrey Hutzelman jhutz at
Sun Feb 14 12:13:32 EST 2010

--On Wednesday, February 10, 2010 01:51:36 PM -0600 Will Fiveash 
<William.Fiveash at> wrote:

> The problem I'm dealing with is that pam_krb5 when configured to use
> PKINIT may find PAM_AUTHTOK set and if that is the case I was informed*
> that pam_krb5 should assume that is the PIN and pass that to the pkinit
> preauth plugin.

That sounds like a really bad idea, for the same reason -- conflating PIN's 
and passwords is a recipe for lockouts.

-- Jeff

More information about the krbdev mailing list