Robert Relyea wrote:
> Huie-Ying Lee wrote:
>> Hello,
>>
>> I have completed the prompt configuration enhancement, as suggested by
>> Ludovic. In this enhancement, I added a new field, token_type, in
>> the pam_pkcs11.conf file. The value of the "token_type" will be
>> used in the user prompt messages and its default value is "Smart card".
>>
>> The pam_pkcs11 source code has been updated accordingly and the patch
>> file is attached here. Please feel free to modify the prompt
>> messages, as you see fit.
>>
>> Thanks,
>> Huie-Ying
> Hi Huie,
>
> It still looks like you are unconditionally changing the prompt to be
> 'Enter your user name'. That still leaves the problem of telling the
> user that 'smart card login' is enabled. We at least need something like
> 'Please insert your token', etc. I wouldn't have a problem with reading
> that from a config file either.
You need to look at the bigger picture of how the pam stack is
being called, and what the user is seeing on the screen.
On Solaris they like to use the pam_authtok_get as the first
pam module. It prompts for user and password, then expects the
rest of the pam stack to use these. So at this point pam_authtok_get
does not know if a smart card is required or optional, not allowed.
It would be the
With dtlogin and screen savers, the login or screensaver is usually at
"Enter User" prompt from the first pam module or from the application.
So the smartcard enabled message really needs to be presented
by pam_authtok_get.
The debian pam_krb5 with PKINIT and MIT kerberos, (I have tried on Solaris
and Ubuntu) will treat a null password as try_pkinit, and krb5 pkinit
plugin will then call opensc-pkcs11. If a card is present it then prompts
for the PIN using the pam_conv functions. krb5 pkinit plugin use the
CK_TOKEN_INFO Label (need to check on which field) as part
of the prompt for the PIN. If no token is present, pam_krb5
will fall back to password, if allowed, and prompt for a password.
(The debian pam_krb5 with PKINIT and Heimdal kerberos, will
load opensc-pkcs11 and see if a card is present. I have not
looked at the Heimdal code recently.)
So if the user if going to use a smartcard, they should insert
it before entering the username, then hit enter for the password
prompt. This will cause the pam_krb5 to prompt for the PIN
telling the user what the label of the smart card is, so
they know what PIN is required.
The pam_pkcs11 needs similar behavior. There might even be
sites that will try and use both pam_krb5 and pam_pkcs11
in the same stack. (Maybe root uses pam_pkcs11, and users
use pam_krb5.)
As a side note, we are not very interested in the pam_pkcs11 as
it only logs into the local machine. We are more interested in the
pam_prb5 which will log into a Kerberos Realm or Windows Domain.
>
> bob
>
> BTW does the _(password_prompt) do the right thing for the translation
> teams?
>
> bob
>>
>>
>>
>>
>> Huie-Ying Lee wrote:
>>> Ludovic Rousseau wrote:
>>>>
>>>>>> I propose to use a configuration here. The default name would be
>>>>>> "smart card" but the admin could use "secure token" or whatever else
>>>>>> We could add a "token_name" parameter in the pkcs11_module
>>>>>> configuration.
>>>>>>
>>>>>> # NSS (Network Security Service) config
>>>>>> pkcs11_module nss {
>>>>>> nss_dir = /etc/ssl/nssdb;
>>>>>> crl_policy = none;
>>>>>> token_name = "secure slot"
>>>>>> }
>>>>>>
>>>>>> Comments?
>>>>> Good idea. But I prefer to use "token_type" than token_name.
>>>>
>>>> No objection for "token_type".
>>>>
>>>> Can you propose a patch to implement these changes?
>>>>
>>>> Regards,
>>>>
>>>
>>> OK, I can try sometime next week.
>>>
>>> Huie-Ying
>>
>> ------------------------------------------------------------------------
>>
>> Index: src/pam_pkcs11/pam_pkcs11.c
>> ===================================================================
>> --- src/pam_pkcs11/pam_pkcs11.c (revision 340)
>> +++ src/pam_pkcs11/pam_pkcs11.c (working copy)
>> @@ -281,7 +281,7 @@
>> } } else {
>> pam_prompt(pamh, PAM_TEXT_INFO, NULL,
>> - _("Please insert your smart card or enter your
>> username."));
>> + _("Please enter your username."));
>> /* get user name */
>> rv = pam_get_user(pamh, &user, NULL);
>>
>> @@ -370,7 +370,7 @@
>> /* we haven't prompted for the user yet, get the user and see if
>> * the smart card has been inserted in the mean time */
>> pam_prompt(pamh, PAM_TEXT_INFO, NULL, -
>> _("Please insert your smart card or enter your username."));
>> + _("Please enter your username."));
>> rv = pam_get_user(pamh, &user, NULL);
>>
>> /* check one last time for the smart card before bouncing to
>> the next
>> @@ -389,7 +389,8 @@
>> }
>> }
>> } else {
>> - pam_prompt(pamh, PAM_TEXT_INFO, NULL, _("Smart card inserted. "));
>> + sprintf(password_prompt, "Found the %s.",
>> configuration->token_type);
>> + pam_prompt(pamh, PAM_TEXT_INFO, NULL, _(password_prompt));
>> }
>> rv = open_pkcs11_session(ph, slot_num);
>> if (rv != 0) {
>> @@ -402,14 +403,14 @@
>> /* get password */
>> sprintf(password_prompt, _("Welcome %.32s!"),
>> get_slot_tokenlabel(ph));
>> pam_prompt(pamh, PAM_TEXT_INFO, NULL, password_prompt);
>> + sprintf(password_prompt, "%s PIN: ", configuration->token_type);
>> if (configuration->use_first_pass) {
>> rv = pam_get_pwd(pamh, &password, NULL, PAM_AUTHTOK, 0);
>> } else if (configuration->try_first_pass) {
>> - rv = pam_get_pwd(pamh, &password, _("Smart card password: "),
>> PAM_AUTHTOK,
>> + rv = pam_get_pwd(pamh, &password, _(password_prompt), PAM_AUTHTOK,
>> PAM_AUTHTOK);
>> } else {
>> - rv = pam_get_pwd(pamh, &password, _("Smart card password: "), 0,
>> - PAM_AUTHTOK);
>> + rv = pam_get_pwd(pamh, &password, _(password_prompt), 0,
>> PAM_AUTHTOK);
>> }
>> if (rv != PAM_SUCCESS) {
>> release_pkcs11_module(ph);
>> Index: src/pam_pkcs11/pam_config.c
>> ===================================================================
>> --- src/pam_pkcs11/pam_config.c (revision 340)
>> +++ src/pam_pkcs11/pam_config.c (working copy)
>> @@ -58,6 +58,7 @@
>> CONFDIR "/nssdb",
>> OCSP_NONE
>> },
>> + "Smart card", /* token_type */
>> NULL /* char *username */
>> };
>>
>> @@ -189,6 +190,11 @@
>> }
>> policy_list= policy_list->next;
>> }
>> +
>> + configuration.token_type = (char *)
>> +
>> scconf_get_str(pkcs11_mblk,"token_type",configuration.token_type);
>> +
>> + }
>> screen_saver_list = scconf_find_list(root,"screen_savers");
>> if (screen_saver_list) {
>> @@ -319,6 +325,12 @@
>> }
>> continue;
>> }
>> +
>> + if (strstr(argv[i],"token_type=") ) {
>> +
>> res=sscanf(argv[i],"token_type=%255s",&configuration.token_type);
>> + continue;
>> + }
>> +
>> if (strstr(argv[i],"config_file=") ) {
>> /* already parsed, skip */
>> continue;
>> Index: src/pam_pkcs11/pam_config.h
>> ===================================================================
>> --- src/pam_pkcs11/pam_config.h (revision 340)
>> +++ src/pam_pkcs11/pam_config.h (working copy)
>> @@ -42,6 +42,7 @@
>> int slot_num;
>> int support_threads;
>> cert_policy policy;
>> + char *token_type;
>> char *username; /* provided user name */
>> };
>>
>> Index: etc/pam_pkcs11.conf.example
>> ===================================================================
>> --- etc/pam_pkcs11.conf.example (revision 340)
>> +++ etc/pam_pkcs11.conf.example (working copy)
>> @@ -82,6 +82,12 @@
>> # You can use a combination of ca,crl, and signature flags, or just
>> # use "none".
>> cert_policy = ca,signature;
>> +
>> + # What kind of tokens ?
>> + # The value of the token_type parameter will be used in the user
>> prompt
>> + # messages. The default value is "Smart card".
>> + token_type = "Smart card";
>> +
>> }
>>
>> # Aladdin eTokenPRO 32
>>
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> opensc-devel mailing list
>> opensc-devel@lists.opensc-project.org
>> http://www.opensc-project.org/mailman/listinfo/opensc-devel
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> opensc-devel mailing list
> opensc-devel@lists.opensc-project.org
> http://www.opensc-project.org/mailman/listinfo/opensc-devel
--
Douglas E. Engert <[EMAIL PROTECTED]>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
