Gary Winiger wrote: >>> One question; should pam_krb5 doing PKINIT ever try using the password >>> acquired via pam_authtok_get as the PIN if pam_krb5 is stacked below >>> pam_authtok_get like so: >>> >>> login auth required pam_unix_cred.so.1 >>> login auth sufficient pam_krb5.so.1 pkinit >>> login auth requisite pam_authtok_get.so.1 >>> login auth required pam_dhkeys.so.1 >>> login auth required pam_unix_auth.so.1 >>> ? >>> >>> I was thinking that pam_krb5 could try doing PKINIT preauth with the >>> user's password and if that failed would try PKINIT preauth again, this >>> time prompting for the user's PIN. If that is a bad idea then pam_krb5 >>> doing PKINIT would ignore the user's password and always prompt for the >>> PIN regardless of where it was in the auth stack. > > IMO, it is a site configuration error to put pkinit below > authtok_get. That said, it is possible for applications > to set PAM_AUTHTOK before calling pam_authenticate. > > IMO, you either have an administrative error, or an application > error. I'd say, if PAM_AUTHTOK is set to use it rather than > prompt. If it locks out the card, the admin/application will > be noted as buggy. > > Gary..
We talked about this in the KRB5 iTeam meeting today and I agree. Basically, my opinion boils down to this: * if PAM_AUTHTOK is set (regardless of who set it, the app or pam_authtok_get), pam_krb5+pkinit should attempt to use it. If it fails, return AUTHFAIL. * If PAM_AUTHTOK is NOT set, prompt for the PIN and attempt to use it. If it fails, return AUTHFAIL. Ignoring PAM_AUTHTOK is bad and it is equally bad to the user's experience to prompt twice for essentially the same information. -Wyllys
