a suggestion for improving pkinit preauth plugin token choosing
Nicolas.Williams at oracle.com
Wed May 12 11:57:22 EDT 2010
On Wed, May 12, 2010 at 09:59:55AM -0500, Douglas E. Engert wrote:
> Its the current PAM architecture that is weak. Pam needs a better front
> end to give the user some choices, and a better way to propagate those
> choices to the individual PAM modules.
I fully agree that PAM's conversation concept is busted. Here's a
partial list of problems with it:
- it's clearly designed for a tty world, so...
- ...it has no concept of "OK" and "cancel" buttons, or any other GUI
contructs (forget radio buttons, checkboxes, ...)
- prompts cannot be canceled asynchronously: the user *must* hit ENTER
(or click OK), so...
- ...there's no way to make an "insert smartcard" prompt go away when
C_WaitForSlotEvent() indicates that a token is available;
- there's no indication to the application as to what kind of item or
action is being prompted for;
- there's no direct way for the app to indicate that the conversation
context is a GUI context or a tty context (not setting PAM_TTY
doesn't work for this; think of ssh);
- there's no extensibility; adding GUI support will require massive
re-writing of PAM application and module code;
I could probably go on.
More information about the krbdev