On Wed, Dec 09, 2009 at 02:34:09PM -0500, Wyllys Ingersoll wrote: > Gary Winiger wrote: > >>> One question; should pam_krb5 doing PKINIT ever try using the password > >>> acquired via pam_authtok_get as the PIN if pam_krb5 is stacked below > >>> pam_authtok_get like so: > >>> > >>> login auth required pam_unix_cred.so.1 > >>> login auth sufficient pam_krb5.so.1 pkinit > >>> login auth requisite pam_authtok_get.so.1 > >>> login auth required pam_dhkeys.so.1 > >>> login auth required pam_unix_auth.so.1 > >>> ? > >>> > >>> I was thinking that pam_krb5 could try doing PKINIT preauth with the > >>> user's password and if that failed would try PKINIT preauth again, this > >>> time prompting for the user's PIN. If that is a bad idea then pam_krb5 > >>> doing PKINIT would ignore the user's password and always prompt for the > >>> PIN regardless of where it was in the auth stack. > > > > IMO, it is a site configuration error to put pkinit below > > authtok_get. That said, it is possible for applications > > to set PAM_AUTHTOK before calling pam_authenticate. > > > > IMO, you either have an administrative error, or an application > > error. I'd say, if PAM_AUTHTOK is set to use it rather than > > prompt. If it locks out the card, the admin/application will > > be noted as buggy. > > > > Gary.. > > We talked about this in the KRB5 iTeam meeting today and I agree. > Basically, my opinion boils down to this: > > * if PAM_AUTHTOK is set (regardless of who set it, the app or > pam_authtok_get), pam_krb5+pkinit > should attempt to use it. If it fails, return AUTHFAIL.
Yes, this is what I was thinking. If the admin wants pam_krb5 pkinit to prompt for a PIN, stack it above pam_authtok_get. If, for whatever reason, they want to use the password acquired by pam_authtok_get to access the user's private key for PKINIT then stack pam_krb5 pkinit below pam_authtok_get. Note that this behavior does not preclude "try PKINIT, fall back to password krb auth" scenario in either of these stacks: Example 1: login auth required pam_unix_cred.so.1 login auth sufficient pam_krb5.so.1 pkinit # This prompts for PIN login auth requisite pam_authtok_get.so.1 login auth required pam_krb5.so.1 # will try password based krb auth if pam_krb5.so.1 pkinit fails Example 2: login auth required pam_unix_cred.so.1 login auth requisite pam_authtok_get.so.1 login auth sufficient pam_krb5.so.1 pkinit # This uses PAM_AUTHTOK, will not prompt at all login auth required pam_krb5.so.1 # will try password based krb auth using PAM_AUTHTOK # if pam_krb5.so.1 pkinit fails > * If PAM_AUTHTOK is NOT set, prompt for the PIN and attempt to use it. If it > fails, return > AUTHFAIL. Well, depending on the control flag it will either return failure or ignore. > Ignoring PAM_AUTHTOK is bad and it is equally bad to the user's experience to > prompt twice > for essentially the same information. -- Will Fiveash Sun Microsystems Inc. http://opensolaris.org/os/project/kerberos/ Sent from mutt, a sweet ASCII MUA