pkinit preauth plugin issue

Jeffrey Hutzelman jhutz at
Mon Feb 15 13:31:25 EST 2010

--On Sunday, February 14, 2010 09:35:28 PM -0700 Shawn M Emery 
<Shawn.Emery at> wrote:

> On 02/14/10 10:13 AM, Jeffrey Hutzelman wrote:
>> --On Wednesday, February 10, 2010 01:51:36 PM -0600 Will Fiveash
>> <William.Fiveash at>  wrote:
>>> The problem I'm dealing with is that pam_krb5 when configured to use
>>> PKINIT may find PAM_AUTHTOK set and if that is the case I was informed*
>>> that pam_krb5 should assume that is the PIN and pass that to the pkinit
>>> preauth plugin.
>> That sounds like a really bad idea, for the same reason -- conflating
>> PIN's and passwords is a recipe for lockouts.
> I brought up the same concern in the design review, but I finally
> relented and stated that if an administrator had configured PAM in this
> manner with the ability to use hard tokens on the same system then they
> deserve accelerated lockouts.

I don't think it's inappropriate to configure a system to permit use of 
either passwords or tokens, or that doing so should automatically result in 
pam_krb5 conflating PINs and passwords.  For example, we've been looking 
for some time at setting things up so that help desk staff can log in on 
untrusted user machines using smart cards, to avoid compromising their 
passwords, but users can still log in with a password.

If an administrator wants pam_krb5 to assume passwords are PINs, that's 
fine.  Make them set a module option that does that.  Don't make it the 

-- Jeff

More information about the krbdev mailing list