On Thu, Dec 10, 2009 at 10:20:44AM -0800, Henry B. Hotz wrote: > > On Dec 9, 2009, at 11:34 AM, Wyllys Ingersoll wrote: > > > Basically, my opinion boils down to this: > > > > * if PAM_AUTHTOK is set (regardless of who set it, the app or > > pam_authtok_get), pam_krb5+pkinit > > should attempt to use it. If it fails, return AUTHFAIL. > > > > * If PAM_AUTHTOK is NOT set, prompt for the PIN and attempt to use it. If > > it fails, return > > AUTHFAIL. > > > > Ignoring PAM_AUTHTOK is bad and it is equally bad to the user's experience > > to prompt twice > > for essentially the same information. > > > I think this needs expanding to cover card readers with built-in PIN pads (as > DE said).
pam_krb5 is relying on the underlying krb pkinit preauth plugin to prompt for what it needs in order to try PKINIT (this is also true of kinit). Given this I would say that the pkinit preauth plugin needs to support those type of card readers and do the right thing in regards to prompting. If support is found to be inadequate then a RFE CR (request for enhancement change request) needs to be created to have the pkinit preauth plugin enhanced to properly handle those type of card readers. -- Will Fiveash Sun Microsystems Inc. http://opensolaris.org/os/project/kerberos/ Sent from mutt, a sweet ASCII MUA
