pkinit preauth plugin issue

Nicolas Williams Nicolas.Williams at
Mon Feb 15 15:58:07 EST 2010

On Mon, Feb 15, 2010 at 03:49:04PM -0500, Jeffrey Hutzelman wrote:
> A nice theory, but using PAM_AUTHTOK for both passwords and PINs is asking 
> for trouble.  Unfortunately, the original PAM API design just isn't quite 
> flexible enough for this case.

I tend to agree.  I've been thinking that we could patch this up by
adding a PAM item to indicate what type of "token" the PAM_AUTHTOK value
is.  Such an item would default to "PAM_AUTHTOK is a password" and would
get reset every time PAM_AUTHTOK is set.

Would it be preferable to have separate items for "password" and "PIN"
(and "OTP", "response to challenge", ...)?

Also, note that knowing that some string is a PIN is not enough: you
need to know which token (ugh; here I mean smartcard) the PIN is for.
Assuming there's only one token [for the current seat] works, but that
seems like a lousy assumption.


More information about the krbdev mailing list