On Wed, Dec 09, 2009 at 02:34:09PM -0500, Wyllys Ingersoll wrote:
> Gary Winiger wrote:
> >>> One question; should pam_krb5 doing PKINIT ever try using the password
> >>> acquired via pam_authtok_get as the PIN if pam_krb5 is stacked below
> >>> pam_authtok_get like so:
> >>>
> >>> login auth required pam_unix_cred.so.1
> >>> login auth sufficient pam_krb5.so.1 pkinit
> >>> login auth requisite pam_authtok_get.so.1
> >>> login auth required pam_dhkeys.so.1
> >>> login auth required pam_unix_auth.so.1
> >>> ?
> >>>
> >>> I was thinking that pam_krb5 could try doing PKINIT preauth with the
> >>> user's password and if that failed would try PKINIT preauth again, this
> >>> time prompting for the user's PIN. If that is a bad idea then pam_krb5
> >>> doing PKINIT would ignore the user's password and always prompt for the
> >>> PIN regardless of where it was in the auth stack.
> >
> > IMO, it is a site configuration error to put pkinit below
> > authtok_get. That said, it is possible for applications
> > to set PAM_AUTHTOK before calling pam_authenticate.
> >
> > IMO, you either have an administrative error, or an application
> > error. I'd say, if PAM_AUTHTOK is set to use it rather than
> > prompt. If it locks out the card, the admin/application will
> > be noted as buggy.
> >
> > Gary..
>
> We talked about this in the KRB5 iTeam meeting today and I agree.
> Basically, my opinion boils down to this:
>
> * if PAM_AUTHTOK is set (regardless of who set it, the app or
> pam_authtok_get), pam_krb5+pkinit
> should attempt to use it. If it fails, return AUTHFAIL.
Yes, this is what I was thinking. If the admin wants pam_krb5 pkinit to
prompt for a PIN, stack it above pam_authtok_get. If, for whatever
reason, they want to use the password acquired by pam_authtok_get
to access the user's private key for PKINIT then stack pam_krb5 pkinit
below pam_authtok_get. Note that this behavior does not preclude "try
PKINIT, fall back to password krb auth" scenario in either of these
stacks:
Example 1:
login auth required pam_unix_cred.so.1
login auth sufficient pam_krb5.so.1 pkinit # This prompts for PIN
login auth requisite pam_authtok_get.so.1
login auth required pam_krb5.so.1 # will try password based
krb auth if pam_krb5.so.1 pkinit fails
Example 2:
login auth required pam_unix_cred.so.1
login auth requisite pam_authtok_get.so.1
login auth sufficient pam_krb5.so.1 pkinit # This uses
PAM_AUTHTOK, will not prompt at all
login auth required pam_krb5.so.1 # will try password based
krb auth using PAM_AUTHTOK
# if pam_krb5.so.1 pkinit
fails
> * If PAM_AUTHTOK is NOT set, prompt for the PIN and attempt to use it. If it
> fails, return
> AUTHFAIL.
Well, depending on the control flag it will either return failure or
ignore.
> Ignoring PAM_AUTHTOK is bad and it is equally bad to the user's experience to
> prompt twice
> for essentially the same information.
--
Will Fiveash
Sun Microsystems Inc.
http://opensolaris.org/os/project/kerberos/
Sent from mutt, a sweet ASCII MUA
