Douglas E. Engert wrote:
So I don't have a problem with the ability to change the prompt on pam_pkcs11, but I do have a problem with forcing the change.You need to look at the bigger picture of how the pam stack is being called, and what the user is seeing on the screen.
In our situation, we arrange for the pam_pkcs11 module to come first if we allow smart card login. If not token is inserted the use will get the prompt to insert the smart card. gdm notices the smart card insertion and restarts the pam stack. For regular login the user inserts the smart card and still has to hit enter, but pam_pkcs11 notices that the card has been inserted and used it to log in.
we run pam_krb5 after pam_pkcs11. It picks up the token, cert, and pin used in pam_pkcs11 and uses it to complete PKINIT (using NSS and MIT kerberos).The debian pam_krb5 with PKINIT and MIT kerberos, (I have tried on Solarisand Ubuntu) will treat a null password as try_pkinit, and krb5 pkinit plugin will then call opensc-pkcs11. If a card is present it then prompts for the PIN using the pam_conv functions. krb5 pkinit plugin use the CK_TOKEN_INFO Label (need to check on which field) as part of the prompt for the PIN. If no token is present, pam_krb5 will fall back to password, if allowed, and prompt for a password.
My point was not that there was a change, but that the change was unilateral and would break our deployments. Having a config switch to select the behavior would be acceptible.
bob
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
