[kerberos-discuss] a suggestion for improving pkinit preauth plugin token choosing

[Will Fiveash]

On Mon, May 10, 2010 at 07:57:50PM -0400, Sam Hartman wrote:
> I think slot/token ID is sufficient if you will try a specified
> slot/token even if you were not able to examine its certs because login
> would be required.

Just to be clear, what I'm suggesting is if the token to be used
for PKINIT requires login to access the cert then only the slot-id and
or token-label criteria in the PKCS11 URI in krb5.conf should be set to
match that token and no cert matching criteria should be specified.  In
this scenario the algorithm I proposed would work like:

- no tokens found, prompt the user once to insert their smartcard.

- one token found, prompt the user for the PIN for that token and
  proceed with PKINIT preauth.

- more than one token found, present a menu of tokens and let the user
  choose one to login to or choose none and rescan once for new tokens
  if the user inserted a new token.

The corollary to this token matching behavior is that if cert matching
criteria is specified in krb5.conf then only the tokens that allow
access to contained certs without login will be examined.  Tokens that
require login to access certs will be filtered out of the selection.

I realize that this may be too limiting in the case where a token
requiring login contains > 1 cert and thus cert matching criteria is
required to choose a particular cert.  If that is the case then a new
config interface is required to modify how the pkinit plugin handles
this type of token.

-- 
Will Fiveash
Oracle
Note my new work e-mail address: will.fiveash at oracle.com
http://opensolaris.org/os/project/kerberos/
Sent using mutt, a sweet text based e-mail app: http://www.mutt.org/