Robert Relyea wrote: > Huie-Ying Lee wrote: >> Hello, >> >> I have completed the prompt configuration enhancement, as suggested by >> Ludovic. In this enhancement, I added a new field, token_type, in >> the pam_pkcs11.conf file. The value of the "token_type" will be >> used in the user prompt messages and its default value is "Smart card". >> >> The pam_pkcs11 source code has been updated accordingly and the patch >> file is attached here. Please feel free to modify the prompt >> messages, as you see fit. >> >> Thanks, >> Huie-Ying > Hi Huie, > > It still looks like you are unconditionally changing the prompt to be > 'Enter your user name'. That still leaves the problem of telling the > user that 'smart card login' is enabled. We at least need something like > 'Please insert your token', etc. I wouldn't have a problem with reading > that from a config file either.
You need to look at the bigger picture of how the pam stack is being called, and what the user is seeing on the screen. On Solaris they like to use the pam_authtok_get as the first pam module. It prompts for user and password, then expects the rest of the pam stack to use these. So at this point pam_authtok_get does not know if a smart card is required or optional, not allowed. It would be the With dtlogin and screen savers, the login or screensaver is usually at "Enter User" prompt from the first pam module or from the application. So the smartcard enabled message really needs to be presented by pam_authtok_get. The debian pam_krb5 with PKINIT and MIT kerberos, (I have tried on Solaris and Ubuntu) will treat a null password as try_pkinit, and krb5 pkinit plugin will then call opensc-pkcs11. If a card is present it then prompts for the PIN using the pam_conv functions. krb5 pkinit plugin use the CK_TOKEN_INFO Label (need to check on which field) as part of the prompt for the PIN. If no token is present, pam_krb5 will fall back to password, if allowed, and prompt for a password. (The debian pam_krb5 with PKINIT and Heimdal kerberos, will load opensc-pkcs11 and see if a card is present. I have not looked at the Heimdal code recently.) So if the user if going to use a smartcard, they should insert it before entering the username, then hit enter for the password prompt. This will cause the pam_krb5 to prompt for the PIN telling the user what the label of the smart card is, so they know what PIN is required. The pam_pkcs11 needs similar behavior. There might even be sites that will try and use both pam_krb5 and pam_pkcs11 in the same stack. (Maybe root uses pam_pkcs11, and users use pam_krb5.) As a side note, we are not very interested in the pam_pkcs11 as it only logs into the local machine. We are more interested in the pam_prb5 which will log into a Kerberos Realm or Windows Domain. > > bob > > BTW does the _(password_prompt) do the right thing for the translation > teams? > > bob >> >> >> >> >> Huie-Ying Lee wrote: >>> Ludovic Rousseau wrote: >>>> >>>>>> I propose to use a configuration here. The default name would be >>>>>> "smart card" but the admin could use "secure token" or whatever else >>>>>> We could add a "token_name" parameter in the pkcs11_module >>>>>> configuration. >>>>>> >>>>>> # NSS (Network Security Service) config >>>>>> pkcs11_module nss { >>>>>> nss_dir = /etc/ssl/nssdb; >>>>>> crl_policy = none; >>>>>> token_name = "secure slot" >>>>>> } >>>>>> >>>>>> Comments? >>>>> Good idea. But I prefer to use "token_type" than token_name. >>>> >>>> No objection for "token_type". >>>> >>>> Can you propose a patch to implement these changes? >>>> >>>> Regards, >>>> >>> >>> OK, I can try sometime next week. >>> >>> Huie-Ying >> >> ------------------------------------------------------------------------ >> >> Index: src/pam_pkcs11/pam_pkcs11.c >> =================================================================== >> --- src/pam_pkcs11/pam_pkcs11.c (revision 340) >> +++ src/pam_pkcs11/pam_pkcs11.c (working copy) >> @@ -281,7 +281,7 @@ >> } } else { >> pam_prompt(pamh, PAM_TEXT_INFO, NULL, >> - _("Please insert your smart card or enter your >> username.")); >> + _("Please enter your username.")); >> /* get user name */ >> rv = pam_get_user(pamh, &user, NULL); >> >> @@ -370,7 +370,7 @@ >> /* we haven't prompted for the user yet, get the user and see if >> * the smart card has been inserted in the mean time */ >> pam_prompt(pamh, PAM_TEXT_INFO, NULL, - >> _("Please insert your smart card or enter your username.")); >> + _("Please enter your username.")); >> rv = pam_get_user(pamh, &user, NULL); >> >> /* check one last time for the smart card before bouncing to >> the next >> @@ -389,7 +389,8 @@ >> } >> } >> } else { >> - pam_prompt(pamh, PAM_TEXT_INFO, NULL, _("Smart card inserted. ")); >> + sprintf(password_prompt, "Found the %s.", >> configuration->token_type); >> + pam_prompt(pamh, PAM_TEXT_INFO, NULL, _(password_prompt)); >> } >> rv = open_pkcs11_session(ph, slot_num); >> if (rv != 0) { >> @@ -402,14 +403,14 @@ >> /* get password */ >> sprintf(password_prompt, _("Welcome %.32s!"), >> get_slot_tokenlabel(ph)); >> pam_prompt(pamh, PAM_TEXT_INFO, NULL, password_prompt); >> + sprintf(password_prompt, "%s PIN: ", configuration->token_type); >> if (configuration->use_first_pass) { >> rv = pam_get_pwd(pamh, &password, NULL, PAM_AUTHTOK, 0); >> } else if (configuration->try_first_pass) { >> - rv = pam_get_pwd(pamh, &password, _("Smart card password: "), >> PAM_AUTHTOK, >> + rv = pam_get_pwd(pamh, &password, _(password_prompt), PAM_AUTHTOK, >> PAM_AUTHTOK); >> } else { >> - rv = pam_get_pwd(pamh, &password, _("Smart card password: "), 0, >> - PAM_AUTHTOK); >> + rv = pam_get_pwd(pamh, &password, _(password_prompt), 0, >> PAM_AUTHTOK); >> } >> if (rv != PAM_SUCCESS) { >> release_pkcs11_module(ph); >> Index: src/pam_pkcs11/pam_config.c >> =================================================================== >> --- src/pam_pkcs11/pam_config.c (revision 340) >> +++ src/pam_pkcs11/pam_config.c (working copy) >> @@ -58,6 +58,7 @@ >> CONFDIR "/nssdb", >> OCSP_NONE >> }, >> + "Smart card", /* token_type */ >> NULL /* char *username */ >> }; >> >> @@ -189,6 +190,11 @@ >> } >> policy_list= policy_list->next; >> } >> + >> + configuration.token_type = (char *) >> + >> scconf_get_str(pkcs11_mblk,"token_type",configuration.token_type); >> + >> + } >> screen_saver_list = scconf_find_list(root,"screen_savers"); >> if (screen_saver_list) { >> @@ -319,6 +325,12 @@ >> } >> continue; >> } >> + >> + if (strstr(argv[i],"token_type=") ) { >> + >> res=sscanf(argv[i],"token_type=%255s",&configuration.token_type); >> + continue; >> + } >> + >> if (strstr(argv[i],"config_file=") ) { >> /* already parsed, skip */ >> continue; >> Index: src/pam_pkcs11/pam_config.h >> =================================================================== >> --- src/pam_pkcs11/pam_config.h (revision 340) >> +++ src/pam_pkcs11/pam_config.h (working copy) >> @@ -42,6 +42,7 @@ >> int slot_num; >> int support_threads; >> cert_policy policy; >> + char *token_type; >> char *username; /* provided user name */ >> }; >> >> Index: etc/pam_pkcs11.conf.example >> =================================================================== >> --- etc/pam_pkcs11.conf.example (revision 340) >> +++ etc/pam_pkcs11.conf.example (working copy) >> @@ -82,6 +82,12 @@ >> # You can use a combination of ca,crl, and signature flags, or just >> # use "none". >> cert_policy = ca,signature; >> + >> + # What kind of tokens ? >> + # The value of the token_type parameter will be used in the user >> prompt >> + # messages. The default value is "Smart card". >> + token_type = "Smart card"; >> + >> } >> >> # Aladdin eTokenPRO 32 >> >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> opensc-devel mailing list >> opensc-devel@lists.opensc-project.org >> http://www.opensc-project.org/mailman/listinfo/opensc-devel > > > ------------------------------------------------------------------------ > > _______________________________________________ > opensc-devel mailing list > opensc-devel@lists.opensc-project.org > http://www.opensc-project.org/mailman/listinfo/opensc-devel -- Douglas E. Engert <[EMAIL PROTECTED]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel