adding support to pkinit plugin for a PIN option?

Will Fiveash will.fiveash at
Tue May 13 19:52:34 EDT 2014

I would like to add support to the pkinit preauth plugin to support a
PIN option in the pkinit_identity_opts.  This would allow the Solaris
pam_krb5 to support PKINIT preauth by providing an interface it can use
to pass the PIN to the pkinit preauth plugin via:

krb5_get_init_creds_opt_set_pa(kcontext, opts, "PIN", *krb5_pass);

If the PIN option is set this way, the pkinit preauth plugin wouldn't
prompt the user for their PIN and would just use the PIN option.  This
allows pam_krb5 to use PAM compatible prompting to acquire the PIN.

I can submit changes for this as a pull request if that seems
reasonable.  Thoughts?

Will Fiveash
Oracle Solaris Software Engineer

More information about the krbdev mailing list