pkinit preauth plugin issue

Jeffrey Hutzelman jhutz at
Tue Feb 16 11:46:15 EST 2010

--On Tuesday, February 16, 2010 05:16:31 AM -0500 Sam Hartman 
<hartmans at> wrote:

> The purpose of this list is to look at design and development of MIT
> Kerberos.  That Sun internal design discussion has interesting
> implications for MIT Kerberos: we need to provide a mechanism to feed a
> PIN into pkinit.

You're right, of course.  There's an appropriate forum for discussing the 
design of pkinit support in Sun's pam_krb5, and this isn't it.  And, 
regardless of what happens on that front, it remains the case that MIT 
Kerberos will need some interface for feeding a PIN into pkinit, or for 
allowing pkinit to request one.

However, Doug and Nico bring up an interesting point.  There are other 
kinds of inputs besides traditional passwords and PINs, such as OTPs and 
responses for challenge-response mechanisms.  Some of these don't require 
as much careful separation as we'd like to see for PINs, but some will, and 
in any case, the user and sometimes the calling application need to know 
what is being asked for.  Perhaps the right solution here, at least in the 
long term, is a general API rather than a PKINIT-specific one.

-- Jeff

More information about the krbdev mailing list