pkinit prompting behavior issue

Jeffrey Hutzelman jhutz at
Tue Feb 23 16:28:49 EST 2010

--On Tuesday, February 23, 2010 02:11:16 PM -0600 Nicolas Williams 
<Nicolas.Williams at> wrote:

>> Without major modifications to the pam stack, a password prompt is all
>> you really have to work with. The next step would be prompt "enter
>> password or insert card and enter a blank".
>> Based on the discussions about the Sun pam_krb5 being in the stack in
>> more then one place, you are trying to get around this problem by
>> getting a prompt up before the pam_authtok_get would prompt for a
>> password.  pam in general still only likes a user and password.
> Huh?  PAM is absolutely not bound to have only password prompts.  All
> prompts should come from modules.  Applications that put up a dialog
> with a username and password prompt are broken (GDM on OpenSolaris, for
> example, gets this right).  A pam_krb5 module is perfectly capable of
> prompting for the user to insert their smartcard.

You miss the point.  The issue is deciding whether the user wants to use 
PKINIT or password-based authentication.  PAM's prompting interface is not 
rich enough to allow modules to ask this in a useful way, and cannot 
remember the answer so you don't prompt the user 10 times to figure out 
which authentication method he wants.  What the module in question does 
instead is assume that you want to use password authentication if you typed 
a password, and PKINIT if not (in which case you may then be prompted for a 
PIN).  This isn't perfect, but it's at least workable.

-- Jeff

More information about the krbdev mailing list