pkinit prompting behavior issue
Henry B. Hotz
hotz at jpl.nasa.gov
Tue Feb 23 18:47:25 EST 2010
On Feb 23, 2010, at 8:38 AM, krbdev-request at mit.edu wrote:
> Date: Mon, 22 Feb 2010 16:46:39 -0600
> From: Will Fiveash <William.Fiveash at sun.com>
> Subject: pkinit prompting behavior issue
> To: MIT Kerberos Dev List <krbdev at mit.edu>
> Message-ID: <20100222224639.GM14762 at sun.com>
> Content-Type: text/plain; charset=us-ascii
>
> What I observe when the pkinit preauth plugin is configured to use
> PKCS11 and it doesn't find a PKCS11 token is that it doesn't prompt the
> user to insert a token and instead just returns failure. As people have
> pointed out this is a problem for apps like pam_krb5 which is relying on
> the pkinit plugin to prompt for it's auth needs.
I'm sure many (most?) people will disagree with me, but I don't have a big problem with this, per se. If the PAM chain fails, then it just restarts from the top in most environments. The user then plugs the card in and tries again. IMO failure/retry should be a property of the application, not PAM or any PAM modules.
Of course it would be good if the user got a useful error message, like "no smart card found", and that's probably impossible if you've got a pam chain that goes on to try something else. Also if "something else" is possible for the same user and has its own lockout-on-failure tracking then you might cause other problems.
> What I'd like to see
> is the pkinit plugin (when configured for PKCS11) prompt the user to
> insert/provide a token if it doesn't find one (using a localized
> string). This would be default behavior but if needed could be
> controlled by a new pkinit config parameter to prevent such a prompt (in
> which case the pkinit plugin would behave as it does now).
If you can make this happen it would be nice.
> --
> Will Fiveash
> Sun Microsystems Inc.
> http://opensolaris.org/os/project/kerberos/
> Sent from mutt, a sweet text MUA
------------------------------------------------------
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu
More information about the krbdev
mailing list