a suggestion for improving pkinit preauth plugin token choosing

Nicolas Williams Nicolas.Williams at oracle.com
Wed May 12 11:57:22 EDT 2010

On Wed, May 12, 2010 at 09:59:55AM -0500, Douglas E. Engert wrote:
> Its the current PAM architecture that is weak. Pam needs a better front
> end to give the user some choices, and a better way to propagate those
> choices to the individual PAM modules.

I fully agree that PAM's conversation concept is busted.  Here's a
partial list of problems with it:

 - it's clearly designed for a tty world, so...
 - ...it has no concept of "OK" and "cancel" buttons, or any other GUI
   contructs (forget radio buttons, checkboxes, ...)

 - prompts cannot be canceled asynchronously: the user *must* hit ENTER
   (or click OK), so...
 - ...there's no way to make an "insert smartcard" prompt go away when
   C_WaitForSlotEvent() indicates that a token is available;

 - there's no indication to the application as to what kind of item or
   action is being prompted for;

 - there's no direct way for the app to indicate that the conversation
   context is a GUI context or a tty context (not setting PAM_TTY
   doesn't work for this; think of ssh);

 - there's no extensibility; adding GUI support will require massive
   re-writing of PAM application and module code;

I could probably go on.


More information about the krbdev mailing list