On Dec 9, 2009, at 11:34 AM, Wyllys Ingersoll wrote: > Basically, my opinion boils down to this: > > * if PAM_AUTHTOK is set (regardless of who set it, the app or > pam_authtok_get), pam_krb5+pkinit > should attempt to use it. If it fails, return AUTHFAIL. > > * If PAM_AUTHTOK is NOT set, prompt for the PIN and attempt to use it. If it > fails, return > AUTHFAIL. > > Ignoring PAM_AUTHTOK is bad and it is equally bad to the user's experience to > prompt twice > for essentially the same information.
I think this needs expanding to cover card readers with built-in PIN pads (as DE said). ------------------------------------------------------ The opinions expressed in this message are mine, not those of Caltech, JPL, NASA, or the US Government. Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu
