pkinit prompting behavior issue

Nicolas Williams Nicolas.Williams at
Tue Feb 23 13:04:25 EST 2010

On Tue, Feb 23, 2010 at 11:20:30AM -0600, Douglas E. Engert wrote:
> It may be blocking, but before the C_Login is called, one should have called
> C_GetTokenInfo and test the CK_TOKEN_INFO for 
> in which case the C_Login pin parameter should be NULL.
> So a "enter pin on pad" message (not a prompt) could be displayed before the
> call to C_Login it will then block waiting for the user to enter the pin.

Indeed, that's a messagem not a prompt.  But I think GUIs typically
implement PAM messages as dialogs with an Ok button.  Perhaps that's
mistake and informative messages should be displayed until the next
conversation, with the conversation function returning immediately.
(Yes, that would really help.)

> (Its not clear how a user cancels the operation, could be user pull out the 
> card?)


> >I'm not sure when you'd ever want to assume that "no token present ->
> >don't use PKINIT" in a PAM app.  I guess if you're prompting for a
> >username and the user enters one without having inserted a token then
> >you might want to assume that no token will be available.  Screen saver
> >apps don't prompt for a username because they set PAM_USER ahead of
> >calling pam_authenticate().  (Ah, in screen saver context we might want
> >pam_krb5 to know whether PKINIT had been needed on the original login
> >and to skip PKINIT if not.)
> Russ's pam_krb5 took care of this, as PKINIT was not called until a blank
> was entered for the password. So the user could insert the card before
> typeing the blank. About the best one could do with current PAM stacks.

Why have a password prompt if you're doing PKINIT?

> >As for PKCS#11 softtokens on USB drives...  I believe that a softtoken
> >...
> PKCS#11 says the list of slots is fixed at the time C_Initialize is called.
> OpenSC pkcs#11 in the svn has a "Virtual hotplug slot" designed to use with
> USB tokens, to get around this issue.

Yes, but a softtoken implementation can pretend that there are N slots
at that point.


More information about the krbdev mailing list