a suggestion for improving pkinit preauth plugin token choosing

Will Fiveash will.fiveash at oracle.com
Mon May 10 18:39:26 EDT 2010

On Mon, May 10, 2010 at 05:21:06AM -0400, Sam Hartman wrote:
> I agree that what you propose is an improvement over the current
> algorithm.
> I'm uncomfortable with two things.
> 1) No way at all to deal with tokens that require login.  I wouldn't
> mind if this needed to be explicitly enabled.  I think what the
> discussions so far have suggested is that we know of no smart cards
> falling into this category especially because they will not work with
> the MS model, but we do know of non-smart-card PKCS11 devices falling
> into this category.

The current token selection criteria in krb5.conf does allow filtering
on slot-id and token-label which do not require login (I believe).  Is
this enough to allow use of tokens that require login to access certs?
What I'm thinking is that specifying just this criteria avoids the issue
of what to do if cert matching criteria is also specified but the token
requires login to discover/access the cert.  If slot-id and or
token-label criteria is all that is provided then my algorithm would
work for tokens requiring login for cert access since there would either
be 0, 1 or > 1 tokens that match.  If slot-id/token-label criteria isn't
enough then is a new krb5.conf parameter needed?

> 2) Prompting user to insert smart card if none are found.
> I think I'm in the rough on #2.

Given the admin is required to modify krb5.conf to enable PKINIT and
smart cards are removable I would think that the expectation is that
pkinit should prompt once for the smartcard/token if there are no token

Note that the prompt that we came up with is:

"If you have a smart card insert it now. Press enter to continue: "

The intention is to to indicate to the user that they either need to
insert a smart card and press enter or just press enter if they don't.

> Neither of these are blocking issues.

Got it.

Will Fiveash
Note my new work e-mail address: will.fiveash at oracle.com
Sent using mutt, a sweet text based e-mail app: http://www.mutt.org/

More information about the krbdev mailing list