pkinit prompting behavior issue

Russ Allbery rra at stanford.edu
Tue Feb 23 17:14:58 EST 2010 

Jeffrey Hutzelman <jhutz at cmu.edu> writes:

> You miss the point.  The issue is deciding whether the user wants to use
> PKINIT or password-based authentication.  PAM's prompting interface is
> not rich enough to allow modules to ask this in a useful way, and cannot
> remember the answer so you don't prompt the user 10 times to figure out
> which authentication method he wants.  What the module in question does
> instead is assume that you want to use password authentication if you
> typed a password, and PKINIT if not (in which case you may then be
> prompted for a PIN).  This isn't perfect, but it's at least workable.

Well, sort of.  The relevant settings in my PAM module are:

=item pkinit_prompt

Before attempting PKINIT authentication, prompt the user to insert a smart
card.  You may want to set this option for programs such as
B<gnome-screensaver> that call PAM as soon as the mouse is touched and
don't give the user an opportunity to enter the smart card first.  Any
information entered at the first prompt is ignored.  If I<try_pkinit> is
set, a user who wishes to use a password instead can just press Enter and
then enter their password as normal.  This option is only used if
I<try_pkinit> or I<use_pkinit> are set.

This option can be set in F<krb5.conf> and is only applicable to the auth
and password groups.

=item try_pkinit

Attempt PKINIT authentication before trying a regular password.  You will
probably also need to set the I<pkinit_user> configuration option.  If
PKINIT fails, the PAM module will fall back on regular password
authentication.  This option is currently only supported if pam-krb5 was
built against Heimdal 0.8rc1 or later or MIT Kerberos 1.6.3 or later.

This option can be set in F<krb5.conf> and is only applicable to the auth
and password groups.

=item use_pkinit

Require PKINIT authentication.  You will probably also need to set the
I<pkinit_user> configuration option.  If PKINIT fails, authentication will
fail.  This option is currently only supported if pam-krb5 was built
against Heimdal 0.8rc1 or later.

This option can be set in F<krb5.conf> and is only applicable to the auth
and password groups.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>

More information about the krbdev mailing list