pkinit prompting behavior issue

Jeffrey Hutzelman jhutz at
Tue Feb 23 10:05:37 EST 2010

--On Monday, February 22, 2010 09:07:04 PM -0500 Sam Hartman 
<hartmans at> wrote:

>>>>>> "Will" == Will Fiveash <William.Fiveash at> writes:
>     Will> What I observe when the pkinit preauth plugin is configured to
>     Will> use PKCS11 and it doesn't find a PKCS11 token is that it
>     Will> doesn't prompt the user to insert a token and instead just
>     Will> returns failure.  As people have pointed out this is a problem
>     Will> for apps like pam_krb5 which is relying on the pkinit plugin
>     Will> to prompt for it's auth needs.  What I'd like to see is the
>     Will> pkinit plugin (when configured for PKCS11) prompt the user to
>     Will> insert/provide a token if it doesn't find one (using a
>     Will> localized string).  This would be default behavior but if
>     Will> needed could be controlled by a new pkinit config parameter to
>     Will> prevent such a prompt (in which case the pkinit plugin would
>     Will> behave as it does now).
> I think this sounds good.  At first, I was wondering whether you should
> still prompt if you can't even find a reader.  However I'm not sure it's
> easy to determine that at the PKCS11 level.  Also, if you have a USB
> token, that's the wrong approach.

IIRC, PKCS11 is not good with slots dynamically appearing and disappearing. 
The workaround is to advertise empty slots that don't even correspond to a 
reader until one appears.  So indeed, it can be difficult at the PKCS11 
level to tell the difference between an empty slot that corresponds to an 
empty reader and one that corresponds to no reader at all.  Also, as you 
note, in the case of USB tokens the reader and card are the same physical 
device, and neither appears until the user inserts it.

I think at the Kerberos/PKINIT layer, the correct default behavior is as 
Will proposes - if no card/token is found, prompt for one.  PAM modules 
should probably be configurable in this respect; depending on the 
environment, one might wish to prompt for a token if none is present or 
assume that if there is no token, the user does not intend to use PKINIT.

-- Jeff

More information about the krbdev mailing list