On Thu, Sep 11, 2008 at 03:11:15PM -0500, Will Fiveash wrote: > > Can we exclude that option in Solaris? OTOH, if we package and deliver > > OpenSC then we arguably should not exclude that option, but make it > > work instead. > > Perhaps I'm off base here but wouldn't it be better to add whatever > pkcs11/smart card functionality OpenSC has to the native Solaris pkcs11 > and just have kinit continue to use that. I'm not wild about adding > more options to krb utils if they aren't absolutely necessary.
Arguably one way to offer access-through-third-party-PKCS#11 would be through libpkcs11, since it already supports multiple providers. But arguably too we should just ship OpenSC (is there any reason not to?). > If we must support "-X PKCS11:module_name=/tmp/libpkcs11.so.1" then this > should be error tested carefully to make sure the user can't cause a > core dump and should get meaningful error messages. How would you do that? It's perfectly fine for developer error to cause core dumps, and if users try to use third-party libraries (e.g., PAM modules) this way and they get core dumps, well, that's just how the world works (we don't "carefully test" libpam, say, to prevent core dumps with third-party modules, nor should we). Nico --
