pkinit preauth plugin issue
Jeffrey Hutzelman
jhutz at cmu.edu
Mon Feb 15 13:31:25 EST 2010
--On Sunday, February 14, 2010 09:35:28 PM -0700 Shawn M Emery
<Shawn.Emery at sun.com> wrote:
> On 02/14/10 10:13 AM, Jeffrey Hutzelman wrote:
>> --On Wednesday, February 10, 2010 01:51:36 PM -0600 Will Fiveash
>> <William.Fiveash at sun.com> wrote:
>>
>>
>>> The problem I'm dealing with is that pam_krb5 when configured to use
>>> PKINIT may find PAM_AUTHTOK set and if that is the case I was informed*
>>> that pam_krb5 should assume that is the PIN and pass that to the pkinit
>>> preauth plugin.
>>>
>> That sounds like a really bad idea, for the same reason -- conflating
>> PIN's and passwords is a recipe for lockouts.
>>
>
> I brought up the same concern in the design review, but I finally
> relented and stated that if an administrator had configured PAM in this
> manner with the ability to use hard tokens on the same system then they
> deserve accelerated lockouts.
I don't think it's inappropriate to configure a system to permit use of
either passwords or tokens, or that doing so should automatically result in
pam_krb5 conflating PINs and passwords. For example, we've been looking
for some time at setting things up so that help desk staff can log in on
untrusted user machines using smart cards, to avoid compromising their
passwords, but users can still log in with a password.
If an administrator wants pam_krb5 to assume passwords are PINs, that's
fine. Make them set a module option that does that. Don't make it the
default.
-- Jeff
More information about the krbdev
mailing list