a suggestion for improving pkinit preauth plugin token choosing

Nicolas Williams Nicolas.Williams at oracle.com
Wed May 12 11:50:33 EDT 2010

On Wed, May 12, 2010 at 08:56:39AM -0400, Sam Hartman wrote:
> I actually agree with henry that "please insert a token," should be out
> of scope for preauth plugins.
> My rationale is that the current prompter interface is kind of weak when
> it interacts with GUIs etc, and the more we can avoid using it, the
> better.

That rationale applies even more so to PAM than to the gic prompter.  At
least the gic prompter tells you what kind of thing it's prompting for,
whereas PAM has no such concept.  Yet we can't apply the same rationale
to PAM and say "sorry, no please insert a token prompt, you have to
figure out all by yourself that the reason you can't login is that you
haven't plugged your smartcard in".

> For example, what should that prompt read? "Press enter," may be right
> for a CLI instance, but will be wrongish for gdm.

First, this is easy to fix in the gic prompter: add new prompter types.

Second, this is a problem for PAM as well, and there there's no easy
fix.  PAM and gic are the interfaces that we've got, I'm afraid.  Giving
up on doing the best we can with the interface we have because we can't
get it to be perfect seems wrong to me; taking a detour to extend PAM
would be wrong as well as that'd be a huge project.


More information about the krbdev mailing list