[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Use of PKINIT from PAM




"Douglas E. Engert" <deengert@anl.gov> writes:

>> Also, I wonder if the code should resolve private key when calling
>> krb5_get_init_creds_opt_set_pkinit. instead maybe it should wait until
>> krb5_get_init_creds is called.
>
> So far the PAM interface is primative. If the password from PAM is
> blank, it tries PKINIT, and a seperate prompt is issued for the pin.
> But there might be a better way, like test if these is a smartcard
> present in the reader then use it, if not assume use passwords.
> Right now that functionality is missing.
>
> If this functionality was added would it be a seperate call, or
> part of krb5_get_init_creds_opt_pkint, or krb5_get_init_creds?

I think smartcard/cert detection is some thing that should be tried if its
possible. But what I was thinking about was pushing the
ENGINE_load_private_key/PEM_read_PrivateKey + X509_check_private_key into
the init_cred_loop. I don't really know if its any better, it just feels
better to have all prompting done from the same place.

Speaking of PAM, I assume you are using GDM or the KDE equvalent when
testing, xdm seem to be a little simplicitic in its PAM support.

Love

PGP signature