a suggestion for improving pkinit preauth plugin token choosing

Greg Hudson ghudson at MIT.EDU
Wed May 12 15:03:44 EDT 2010

On Wed, 2010-05-12 at 13:13 -0400, Henry B. Hotz wrote:
> If it "fails" then you can return a meaningful error message that
> tells the user how to do it over so it works.  You can say "I couldn't
> find any smart cards.", or "I found the following credentials and I
> don't know which one to use.  Please remove the extras and try
> again.", or "Please call extension HELP.", or even "Please call
> security to have yourself arrested because you are a dangerous
> terrorist."  ;-)

Nico and Will pointed out that PAM makes it difficult to display a
useful error message on failure.  The preauth framework also makes it
difficult.  If PKINIT fails, it's hard for the framework to be smart
enough to know that it "should have" succeeded, so it will tend to go on
to try other things (which will also fail).

You can see similar problems with ssh.  Negotiation and fallback
mechanisms tend to come at a cost of failure-case usability.

More information about the krbdev mailing list