pkinit prompting behavior issue

Will Fiveash William.Fiveash at
Mon Feb 22 17:46:39 EST 2010

What I observe when the pkinit preauth plugin is configured to use
PKCS11 and it doesn't find a PKCS11 token is that it doesn't prompt the
user to insert a token and instead just returns failure.  As people have
pointed out this is a problem for apps like pam_krb5 which is relying on
the pkinit plugin to prompt for it's auth needs.  What I'd like to see
is the pkinit plugin (when configured for PKCS11) prompt the user to
insert/provide a token if it doesn't find one (using a localized
string).  This would be default behavior but if needed could be
controlled by a new pkinit config parameter to prevent such a prompt (in
which case the pkinit plugin would behave as it does now).

Will Fiveash
Sun Microsystems Inc.
Sent from mutt, a sweet text MUA

More information about the krbdev mailing list