pkinit preauth plugin issue
Nicolas.Williams at sun.com
Mon Feb 15 15:58:07 EST 2010
On Mon, Feb 15, 2010 at 03:49:04PM -0500, Jeffrey Hutzelman wrote:
> A nice theory, but using PAM_AUTHTOK for both passwords and PINs is asking
> for trouble. Unfortunately, the original PAM API design just isn't quite
> flexible enough for this case.
I tend to agree. I've been thinking that we could patch this up by
adding a PAM item to indicate what type of "token" the PAM_AUTHTOK value
is. Such an item would default to "PAM_AUTHTOK is a password" and would
get reset every time PAM_AUTHTOK is set.
Would it be preferable to have separate items for "password" and "PIN"
(and "OTP", "response to challenge", ...)?
Also, note that knowing that some string is a PIN is not enough: you
need to know which token (ugh; here I mean smartcard) the PIN is for.
Assuming there's only one token [for the current seat] works, but that
seems like a lousy assumption.
More information about the krbdev