pkinit preauth plugin issue

Douglas E. Engert deengert at
Tue Feb 16 10:29:15 EST 2010

Nicolas Williams wrote:
> On Mon, Feb 15, 2010 at 03:49:04PM -0500, Jeffrey Hutzelman wrote:
>> A nice theory, but using PAM_AUTHTOK for both passwords and PINs is asking 
>> for trouble.  Unfortunately, the original PAM API design just isn't quite 
>> flexible enough for this case.
> I tend to agree.  I've been thinking that we could patch this up by
> adding a PAM item to indicate what type of "token" the PAM_AUTHTOK value
> is.  Such an item would default to "PAM_AUTHTOK is a password" and would
> get reset every time PAM_AUTHTOK is set.

Will the GUI login panel displayed to the user give the user the choice
of what is being requested?  Without clear directions to the user as to what
is being typed you will still have mixups.

> Would it be preferable to have separate items for "password" and "PIN"
> (and "OTP", "response to challenge", ...)?

It really comes down to the user telling (or being told) what type of
authentication they want to try (or is required). You list 4 above
there may be many more.

> Also, note that knowing that some string is a PIN is not enough: you
> need to know which token (ugh; here I mean smartcard) the PIN is for.
> Assuming there's only one token [for the current seat] works, but that
> seems like a lousy assumption.

This has always been a problem, as to which reader to use if more then
one and which card the user should use. The user should know what PIN goes
with their card. You just need to tell them what card the system
thinks it is using.

PKCS11 can be used to get the card label and pin label. The Open Source
pam_krb5, MIT and opensc-pkcs11 does this. The prompt is displayed by the
pam conv and krb5 prompter routines.

This also allows the PKCS11 to tell the caller that there is a PIN pad
reader, and the PIN is NOT entered on the keyboard. Please keep
in mind as every time I bring this up it with Sun it keeps being ignored.
I believe the open source code can use this. I hope to test in the next
few weeks.

> Nico


  Douglas E. Engert  <DEEngert at>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the krbdev mailing list