pkinit prompting behavior issue
Sam Hartman
hartmans at MIT.EDU
Mon Feb 22 21:07:04 EST 2010
>>>>> "Will" == Will Fiveash <William.Fiveash at sun.com> writes:
Will> What I observe when the pkinit preauth plugin is configured to
Will> use PKCS11 and it doesn't find a PKCS11 token is that it
Will> doesn't prompt the user to insert a token and instead just
Will> returns failure. As people have pointed out this is a problem
Will> for apps like pam_krb5 which is relying on the pkinit plugin
Will> to prompt for it's auth needs. What I'd like to see is the
Will> pkinit plugin (when configured for PKCS11) prompt the user to
Will> insert/provide a token if it doesn't find one (using a
Will> localized string). This would be default behavior but if
Will> needed could be controlled by a new pkinit config parameter to
Will> prevent such a prompt (in which case the pkinit plugin would
Will> behave as it does now).
I think this sounds good. At first, I was wondering whether you should
still prompt if you can't even find a reader. However I'm not sure it's
easy to determine that at the PKCS11 level. Also, if you have a USB
token, that's the wrong approach.
--Sam
More information about the krbdev
mailing list