On Thu, Oct 22, 2009 at 05:40:47PM +0100, Darren Moffat wrote:
> Wyllys Ingersoll wrote:
> > Template Version: @(#)sac_nextcase 1.68 02/23/09 SMI
> > This information is Copyright 2009 Sun Microsystems
> > 1. Introduction
> > 1.1. Project/Component Working Name:
> > pam_krb5 PKINIT support
> > 1.2. Name of Document Author/Supplier:
> > Author: Will Fiveash
> > 1.3 Date of This Document:
> > 22 October, 2009
> > 4. Technical Description
> > pam_krb5 PKINIT support
> > --------------------------------------
> > Recently support for public key based initial Kerberos credential
> > acquisition or PKINIT was added to Solaris Kerberos (see PSARC 2008/631).
> > What I propose now is modifying pam_krb5 in the following way to take
> > advantage of this PKINIT support and essentially allow a user to use a
> > smartcard or other form of pubic/private key to acquire their Kerberos
> > credential without using their long term Kerberos password.
> > In order to avoid misleading prompting by pam_authtok_get (which assumes
> > a password must be prompted for) pam_krb5 would be modified to do its
> > own prompting when it determines that the PAM_USER and PAM_AUTHTOK are
> > not available which indicates it is above pam_authtok_get in the auth
> > stack. pam_krb5 would assume at this point that PKINIT is to be used to
> > acquire the user's Kerberos credential. If PKINIT fails to acquire a
> > Kerberos credential an error would be returned.
>
> The concept seems reasonable but what will the prompts look like ?
The prompts will come from either the pkinit preauth plugin or
openssl/libcrypto which pkinit calls. The specific prompt string will
depend on what kind of pubkey auth is being done. See the
PKINIT-specific Options section in krb5.conf man for the specifics of
the types of pubkey supported by the pkinit plugin.
> What if PAM_USER is setup but PAM_AUTHTOK is not (which is very likely since
> PAM_USER is often set by the application before pam_authenticate() is
> called) ?
In that case pam_krb5 would only do PKINIT since the assumption is if
PAM_AUTHTOK is not set then pam_krb5 is stacked above pam_authtok_get.
> What will be in PAM_AUTHTOK when pam_sm_authenticate() from pam_krb5 returns
> ? It should probably not be the PIN passed to a C_Login() for PKCS#11.
If the prompt type set by pkinit is KRB5_PROMPT_TYPE_PREAUTH which it
typically is then PAM_AUTHTOK will not be set. Note that there is logic
in the prompter bridge function like:
if (prompt_type[i] == KRB5_PROMPT_TYPE_PASSWORD) {
(void)pam_set_item(pamh, PAM_AUTHTOK, (void *)ret_respp[i].resp);
}
in case the underlying libkrb actually prompts for the user's password.
The pkinit plugin will never do this however.
> > Note that if pam_krb is stacked below pam_authtok_get it would function
> > as it currently does which is to get the user's Kerberos credential
> > using their long term Kerberos password.
>
> That seems reasonable.
>
> I want to see an updated pam_krb5(5) man page explaining how to use PKINIT
> and including the example PAM stacks for use of PKINIT.
I'll work on that and send it as a reply.
--
Will Fiveash
Sun Microsystems Inc.
http://opensolaris.org/os/project/kerberos/
Sent from mutt, a sweet ASCII MUA
