a suggestion for improving pkinit preauth plugin token choosing

Nicolas Williams Nicolas.Williams at oracle.com
Mon May 10 18:46:27 EDT 2010

On Mon, May 10, 2010 at 05:21:06AM -0400, Sam Hartman wrote:
> I agree that what you propose is an improvement over the current
> algorithm.
> I'm uncomfortable with two things.
> 1) No way at all to deal with tokens that require login.  I wouldn't
> mind if this needed to be explicitly enabled.  I think what the
> discussions so far have suggested is that we know of no smart cards
> falling into this category especially because they will not work with
> the MS model, but we do know of non-smart-card PKCS11 devices falling
> into this category.

I agree.  For example, the SCA-6000.  In practice I suspect we'll not
see many customers wanting to use such tokens for PKINIT, and we may not
care to support that.  If we did care to support them, or if MIT does,
we could always make that a configurable options as you suggest.

> 2) Prompting user to insert smart card if none are found.
> I think I'm in the rough on #2.

This should be a gic option.  In the pam_krb5 case we'll want the
preauth plugin to prompt the user to insert their smart card; in the
kinit case we'll likely not (if you've not inserted your smart card when
you kinit, then you probably don't have one, but you might have slots,
in which case a prompt from kinit to insert your smartcard will be


More information about the krbdev mailing list