On Thu, Oct 22, 2009 at 05:40:47PM +0100, Darren Moffat wrote: > Wyllys Ingersoll wrote: > > Template Version: @(#)sac_nextcase 1.68 02/23/09 SMI > > This information is Copyright 2009 Sun Microsystems > > 1. Introduction > > 1.1. Project/Component Working Name: > > pam_krb5 PKINIT support > > 1.2. Name of Document Author/Supplier: > > Author: Will Fiveash > > 1.3 Date of This Document: > > 22 October, 2009 > > 4. Technical Description > > pam_krb5 PKINIT support > > -------------------------------------- > > Recently support for public key based initial Kerberos credential > > acquisition or PKINIT was added to Solaris Kerberos (see PSARC 2008/631). > > What I propose now is modifying pam_krb5 in the following way to take > > advantage of this PKINIT support and essentially allow a user to use a > > smartcard or other form of pubic/private key to acquire their Kerberos > > credential without using their long term Kerberos password. > > In order to avoid misleading prompting by pam_authtok_get (which assumes > > a password must be prompted for) pam_krb5 would be modified to do its > > own prompting when it determines that the PAM_USER and PAM_AUTHTOK are > > not available which indicates it is above pam_authtok_get in the auth > > stack. pam_krb5 would assume at this point that PKINIT is to be used to > > acquire the user's Kerberos credential. If PKINIT fails to acquire a > > Kerberos credential an error would be returned. > > The concept seems reasonable but what will the prompts look like ?
The prompts will come from either the pkinit preauth plugin or openssl/libcrypto which pkinit calls. The specific prompt string will depend on what kind of pubkey auth is being done. See the PKINIT-specific Options section in krb5.conf man for the specifics of the types of pubkey supported by the pkinit plugin. > What if PAM_USER is setup but PAM_AUTHTOK is not (which is very likely since > PAM_USER is often set by the application before pam_authenticate() is > called) ? In that case pam_krb5 would only do PKINIT since the assumption is if PAM_AUTHTOK is not set then pam_krb5 is stacked above pam_authtok_get. > What will be in PAM_AUTHTOK when pam_sm_authenticate() from pam_krb5 returns > ? It should probably not be the PIN passed to a C_Login() for PKCS#11. If the prompt type set by pkinit is KRB5_PROMPT_TYPE_PREAUTH which it typically is then PAM_AUTHTOK will not be set. Note that there is logic in the prompter bridge function like: if (prompt_type[i] == KRB5_PROMPT_TYPE_PASSWORD) { (void)pam_set_item(pamh, PAM_AUTHTOK, (void *)ret_respp[i].resp); } in case the underlying libkrb actually prompts for the user's password. The pkinit plugin will never do this however. > > Note that if pam_krb is stacked below pam_authtok_get it would function > > as it currently does which is to get the user's Kerberos credential > > using their long term Kerberos password. > > That seems reasonable. > > I want to see an updated pam_krb5(5) man page explaining how to use PKINIT > and including the example PAM stacks for use of PKINIT. I'll work on that and send it as a reply. -- Will Fiveash Sun Microsystems Inc. http://opensolaris.org/os/project/kerberos/ Sent from mutt, a sweet ASCII MUA