pkinit preauth plugin issue
Shawn M Emery
Shawn.Emery at sun.com
Sun Feb 14 23:35:28 EST 2010
On 02/14/10 10:13 AM, Jeffrey Hutzelman wrote:
> --On Wednesday, February 10, 2010 01:51:36 PM -0600 Will Fiveash
> <William.Fiveash at sun.com> wrote:
>
>
>> The problem I'm dealing with is that pam_krb5 when configured to use
>> PKINIT may find PAM_AUTHTOK set and if that is the case I was informed*
>> that pam_krb5 should assume that is the PIN and pass that to the pkinit
>> preauth plugin.
>>
> That sounds like a really bad idea, for the same reason -- conflating PIN's
> and passwords is a recipe for lockouts.
>
I brought up the same concern in the design review, but I finally
relented and stated that if an administrator had configured PAM in this
manner with the ability to use hard tokens on the same system then they
deserve accelerated lockouts.
A point that Nico brought up; the reason why passwords could be required
in the pam_krb5-PKINIT case would be in environments in which a soft
token, encrypted w/the user's password, resides on a flash drive.
--
Shawn.
More information about the krbdev
mailing list