pkinit preauth plugin issue
jhutz at cmu.edu
Tue Feb 16 11:46:15 EST 2010
--On Tuesday, February 16, 2010 05:16:31 AM -0500 Sam Hartman
<hartmans at mit.edu> wrote:
> The purpose of this list is to look at design and development of MIT
> Kerberos. That Sun internal design discussion has interesting
> implications for MIT Kerberos: we need to provide a mechanism to feed a
> PIN into pkinit.
You're right, of course. There's an appropriate forum for discussing the
design of pkinit support in Sun's pam_krb5, and this isn't it. And,
regardless of what happens on that front, it remains the case that MIT
Kerberos will need some interface for feeding a PIN into pkinit, or for
allowing pkinit to request one.
However, Doug and Nico bring up an interesting point. There are other
kinds of inputs besides traditional passwords and PINs, such as OTPs and
responses for challenge-response mechanisms. Some of these don't require
as much careful separation as we'd like to see for PINs, but some will, and
in any case, the user and sometimes the calling application need to know
what is being asked for. Perhaps the right solution here, at least in the
long term, is a general API rather than a PKINIT-specific one.
More information about the krbdev