a suggestion for improving pkinit preauth plugin token choosing

Henry B. Hotz hotz at jpl.nasa.gov
Mon May 10 19:55:39 EDT 2010

On May 10, 2010, at 9:04 AM, krbdev-request at mit.edu wrote:

> Message: 2
> Date: Mon, 10 May 2010 05:21:06 -0400
> From: Sam Hartman <hartmans at MIT.EDU>
> Subject: Re: a suggestion for improving pkinit preauth plugin token
> 	choosing
> To: kerberos-discuss <kerberos-discuss at opensolaris.org>
> Cc: MIT Kerberos Dev List <krbdev at mit.edu>
> Message-ID: <tsl7hncun7h.fsf at mit.edu>
> Content-Type: text/plain; charset=us-ascii
> I agree that what you propose is an improvement over the current
> algorithm.
> I'm uncomfortable with two things.
> 1) No way at all to deal with tokens that require login.  I wouldn't
> mind if this needed to be explicitly enabled.  I think what the
> discussions so far have suggested is that we know of no smart cards
> falling into this category especially because they will not work with
> the MS model, but we do know of non-smart-card PKCS11 devices falling
> into this category.
> 2) Prompting user to insert smart card if none are found.
> I think I'm in the rough on #2.
> Neither of these are blocking issues.

In both cases, I have to ask if they should be handled by a PKINIT plugin at all.

In order to do PKINIT, there are some prerequisites:  You need to have the PKI credentials available (and selected/identified), and unlocked.  I'm personally OK with requiring pre-unlock access to the information needed to identify the credentials you want to use, but if I'm being PIV-card provincial feel free to speak up.

I think prompting (via supplied prompter function) to unlock use of the secret key is in scope for a pre-auth plugin.  It had better be possible for that function to bridge between a PAM conversation and supplying a PIN to pkcs11.

I also think that things like "pretty please insert your card" are outside the scope of what a pre-auth plugin ought to be responsible for.  A pre-auth plugin should just return an error indicating "no cred's", or "multiple (ambiguous) creds".

I think user context-setup interactions (like "pretty please insert your card") are a higher-level issue, and the responsibility of pam_krb5, or maybe even the application calling PAM.  If it's a command line, then it prints the appropriate error, and the user can insert the card and do it over.  (Actually, I think I've argued for do-over in the PAM case as well, haven't I?)
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu

More information about the krbdev mailing list