pkinit preauth plugin issue

Will Fiveash William.Fiveash at
Mon Feb 15 14:23:48 EST 2010

On Mon, Feb 15, 2010 at 01:31:25PM -0500, Jeffrey Hutzelman wrote:
> --On Sunday, February 14, 2010 09:35:28 PM -0700 Shawn M Emery 
> <Shawn.Emery at> wrote:
> > On 02/14/10 10:13 AM, Jeffrey Hutzelman wrote:
> >> --On Wednesday, February 10, 2010 01:51:36 PM -0600 Will Fiveash
> >> <William.Fiveash at>  wrote:
> >>
> >>
> >>> The problem I'm dealing with is that pam_krb5 when configured to use
> >>> PKINIT may find PAM_AUTHTOK set and if that is the case I was informed*
> >>> that pam_krb5 should assume that is the PIN and pass that to the pkinit
> >>> preauth plugin.
> >>>
> >> That sounds like a really bad idea, for the same reason -- conflating
> >> PIN's and passwords is a recipe for lockouts.
> >>
> >
> > I brought up the same concern in the design review, but I finally
> > relented and stated that if an administrator had configured PAM in this
> > manner with the ability to use hard tokens on the same system then they
> > deserve accelerated lockouts.
> I don't think it's inappropriate to configure a system to permit use of 
> either passwords or tokens, or that doing so should automatically result in 
> pam_krb5 conflating PINs and passwords.  For example, we've been looking 
> for some time at setting things up so that help desk staff can log in on 
> untrusted user machines using smart cards, to avoid compromising their 
> passwords, but users can still log in with a password.

That can be accomplished via this pam.conf stack:

login auth required 
login auth sufficient pkinit
login auth requisite
login auth required 

Note that pam_authtok_get's function is to prompt for and set the PAM
auth token/password item.  When pam_krb5 with pkinit is stacked above
pam_authtok_get pam authtok isn't set so the user is prompted for a PIN
if a the pkinit preauth plugin finds an object that requires login in
order to access the cert/priv key.  If there is not object or the login
doesn't succeed the evaluation proceeds to pam_authtok_get and pam_krb5
tries password based krb auth.

> If an administrator wants pam_krb5 to assume passwords are PINs, that's 
> fine.  Make them set a module option that does that.  Don't make it the 
> default.

Will Fiveash
Sun Microsystems Inc.
Sent from mutt, a sweet ASCII MUA

More information about the krbdev mailing list