pkinit prompting behavior issue

Nicolas Williams Nicolas.Williams at
Tue Feb 23 15:11:16 EST 2010

On Tue, Feb 23, 2010 at 01:27:10PM -0600, Douglas E. Engert wrote:
> Nicolas Williams wrote:
> >On Tue, Feb 23, 2010 at 11:20:30AM -0600, Douglas E. Engert wrote:
> >>Russ's pam_krb5 took care of this, as PKINIT was not called until a blank
> >>was entered for the password. So the user could insert the card before
> >>typeing the blank. About the best one could do with current PAM stacks.
> >
> >Why have a password prompt if you're doing PKINIT?
> Without major modifications to the pam stack, a password prompt is all
> you really have to work with. The next step would be prompt "enter
> password or insert card and enter a blank".
> Based on the discussions about the Sun pam_krb5 being in the stack in
> more then one place, you are trying to get around this problem by
> getting a prompt up before the pam_authtok_get would prompt for a
> password.  pam in general still only likes a user and password.

Huh?  PAM is absolutely not bound to have only password prompts.  All
prompts should come from modules.  Applications that put up a dialog
with a username and password prompt are broken (GDM on OpenSolaris, for
example, gets this right).  A pam_krb5 module is perfectly capable of
prompting for the user to insert their smartcard.


More information about the krbdev mailing list