a suggestion for improving pkinit preauth plugin token choosing

Henry B. Hotz hotz at jpl.nasa.gov
Wed May 12 17:12:38 EDT 2010

OK, I get it.  *sigh*  The layering makes it hard.  


On May 12, 2010, at 12:21 PM, Will Fiveash wrote:

> On Wed, May 12, 2010 at 03:03:44PM -0400, Greg Hudson wrote:
>> On Wed, 2010-05-12 at 13:13 -0400, Henry B. Hotz wrote:
>>> If it "fails" then you can return a meaningful error message that
>>> tells the user how to do it over so it works.  You can say "I couldn't
>>> find any smart cards.", or "I found the following credentials and I
>>> don't know which one to use.  Please remove the extras and try
>>> again.", or "Please call extension HELP.", or even "Please call
>>> security to have yourself arrested because you are a dangerous
>>> terrorist."  ;-)
>> Nico and Will pointed out that PAM makes it difficult to display a
>> useful error message on failure.  The preauth framework also makes it
>> difficult.  If PKINIT fails, it's hard for the framework to be smart
>> enough to know that it "should have" succeeded, so it will tend to go on
>> to try other things (which will also fail).
> Right, and while it's true that a PAM app that logs a user into a system
> will typically try the auth stack again, unless the user is given an
> indication that something in the auth stack needs their smart card,
> things will continue to fail.  Given the layering, framework constraints
> and the fact that currently it's the pkinit plugin that consumes the
> token/cert matching criteria in krb5.conf it seems like it is the best
> place to indicate to the user what it's looking for.  And I think this
> is would be true for other preauth plugins.
> -- 
> Will Fiveash
> Oracle
> Note my new work e-mail address: will.fiveash at oracle.com
> http://opensolaris.org/os/project/kerberos/
> Sent using mutt, a sweet text based e-mail app: http://www.mutt.org/

The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu

More information about the krbdev mailing list