a suggestion for improving pkinit preauth plugin token choosing

Will Fiveash will.fiveash at oracle.com
Wed May 12 15:21:08 EDT 2010

On Wed, May 12, 2010 at 03:03:44PM -0400, Greg Hudson wrote:
> On Wed, 2010-05-12 at 13:13 -0400, Henry B. Hotz wrote:
> > If it "fails" then you can return a meaningful error message that
> > tells the user how to do it over so it works.  You can say "I couldn't
> > find any smart cards.", or "I found the following credentials and I
> > don't know which one to use.  Please remove the extras and try
> > again.", or "Please call extension HELP.", or even "Please call
> > security to have yourself arrested because you are a dangerous
> > terrorist."  ;-)
> Nico and Will pointed out that PAM makes it difficult to display a
> useful error message on failure.  The preauth framework also makes it
> difficult.  If PKINIT fails, it's hard for the framework to be smart
> enough to know that it "should have" succeeded, so it will tend to go on
> to try other things (which will also fail).

Right, and while it's true that a PAM app that logs a user into a system
will typically try the auth stack again, unless the user is given an
indication that something in the auth stack needs their smart card,
things will continue to fail.  Given the layering, framework constraints
and the fact that currently it's the pkinit plugin that consumes the
token/cert matching criteria in krb5.conf it seems like it is the best
place to indicate to the user what it's looking for.  And I think this
is would be true for other preauth plugins.

Will Fiveash
Note my new work e-mail address: will.fiveash at oracle.com
Sent using mutt, a sweet text based e-mail app: http://www.mutt.org/

More information about the krbdev mailing list