pkinit prompting behavior issue

Sam Hartman hartmans at MIT.EDU
Mon Feb 22 21:07:04 EST 2010

>>>>> "Will" == Will Fiveash <William.Fiveash at> writes:

    Will> What I observe when the pkinit preauth plugin is configured to
    Will> use PKCS11 and it doesn't find a PKCS11 token is that it
    Will> doesn't prompt the user to insert a token and instead just
    Will> returns failure.  As people have pointed out this is a problem
    Will> for apps like pam_krb5 which is relying on the pkinit plugin
    Will> to prompt for it's auth needs.  What I'd like to see is the
    Will> pkinit plugin (when configured for PKCS11) prompt the user to
    Will> insert/provide a token if it doesn't find one (using a
    Will> localized string).  This would be default behavior but if
    Will> needed could be controlled by a new pkinit config parameter to
    Will> prevent such a prompt (in which case the pkinit plugin would
    Will> behave as it does now).

I think this sounds good.  At first, I was wondering whether you should
still prompt if you can't even find a reader.  However I'm not sure it's
easy to determine that at the PKCS11 level.  Also, if you have a USB
token, that's the wrong approach.


More information about the krbdev mailing list