Huie-Ying Lee wrote: > Douglas E. Engert wrote: >> >> >> Huie-Ying Lee wrote: >>> Hello, >>> >>> The pam_pkcs11 module assumpts that all PKCS#11 tokens are >>> smartcards, so it will display "Smart card" key word in the PAM >>> prompt message. However, most of the PKCS#11 tokens are not Smart >>> cards. so we modified some prompt messages to avoid confusion when >>> we ported this module to Solaris OS. Attached is the patch file, >>> please let me know if you have any comments. >> >> You are thinking like a programmer, not a user. Users don't know what >> PKCS#11 or slots are, or even what PAM is. They know they have a device >> and a place to plug it in to use it for login with a PIN. >> > I agreed with you that the "PKCS#11" keyword should be removed, as both > Bob and Ludovic raised the concern as well. > > The pam_pkcs11 module is built on top of a PKCS#11 library, so it should > support any PKCS#11 tokens. For those non-smartcard situations, > prompts with the "SmartCard" keyword might cause some confusions to a > user, so we just tried to change it to be a little bit more generic. > >> The use of the term Smart card "password" is also confusing. I would >> prefer the the word PIN, as it is not a password. >> > Either "password" or "PIN" is fine with me. Note that the word > "password" is used in the original source code, not newly introduced by > this patch. >
Well I am trying to be constructive. PAM module prompts to the user can be very confusing since there may be more then one PAM module sending prompts. Actually at our site we would be using smart cards with the pam_krb5 that would do Kerberos PKINIT, rather then pam_pkcs11, to the local machine. I have a pam_krb5-3.11 with the MIT 1.6.3 and OpenSC running on Solaris 10 with Windows AD as the KDC. I have been communicating with some of the Sun Kerberos people on this. Since Solaris like to use the pam_authtok_get pam routine first, pam_krb5 with try_first_pass when presented with a null password will then prompt for a a PIN using the card label as part of the prompt. This makes it clear to the user what PIN is being requested. > Thanks, > Huie-Ying > > > > -- Douglas E. Engert <[EMAIL PROTECTED]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 _______________________________________________ opensc-devel mailing list [email protected] http://www.opensc-project.org/mailman/listinfo/opensc-devel
