pkinit prompting behavior issue
Nicolas.Williams at sun.com
Tue Feb 23 15:11:16 EST 2010
On Tue, Feb 23, 2010 at 01:27:10PM -0600, Douglas E. Engert wrote:
> Nicolas Williams wrote:
> >On Tue, Feb 23, 2010 at 11:20:30AM -0600, Douglas E. Engert wrote:
> >>Russ's pam_krb5 took care of this, as PKINIT was not called until a blank
> >>was entered for the password. So the user could insert the card before
> >>typeing the blank. About the best one could do with current PAM stacks.
> >Why have a password prompt if you're doing PKINIT?
> Without major modifications to the pam stack, a password prompt is all
> you really have to work with. The next step would be prompt "enter
> password or insert card and enter a blank".
> Based on the discussions about the Sun pam_krb5 being in the stack in
> more then one place, you are trying to get around this problem by
> getting a prompt up before the pam_authtok_get would prompt for a
> password. pam in general still only likes a user and password.
Huh? PAM is absolutely not bound to have only password prompts. All
prompts should come from modules. Applications that put up a dialog
with a username and password prompt are broken (GDM on OpenSolaris, for
example, gets this right). A pam_krb5 module is perfectly capable of
prompting for the user to insert their smartcard.
More information about the krbdev