pkinit preauth plugin issue

Shawn M Emery Shawn.Emery at
Sun Feb 14 23:35:28 EST 2010

On 02/14/10 10:13 AM, Jeffrey Hutzelman wrote:
> --On Wednesday, February 10, 2010 01:51:36 PM -0600 Will Fiveash
> <William.Fiveash at>  wrote:
>> The problem I'm dealing with is that pam_krb5 when configured to use
>> PKINIT may find PAM_AUTHTOK set and if that is the case I was informed*
>> that pam_krb5 should assume that is the PIN and pass that to the pkinit
>> preauth plugin.
> That sounds like a really bad idea, for the same reason -- conflating PIN's
> and passwords is a recipe for lockouts.

I brought up the same concern in the design review, but I finally 
relented and stated that if an administrator had configured PAM in this 
manner with the ability to use hard tokens on the same system then they 
deserve accelerated lockouts.

A point that Nico brought up; the reason why passwords could be required 
in the pam_krb5-PKINIT case would be in environments in which a soft 
token, encrypted w/the user's password, resides on a flash drive.


More information about the krbdev mailing list