Re: pkinit/opensc/soft-pkcs11

["Matthew N. Andrews" <matt@slackers.net>]

Douglas E. Engert wrote:
...
>>
>> Just in case anyone cares, my goal here is to have a pkcs11 software 
>> token that requires login to retrieve a user key/cert pair, and to 
>> upon "login" to actually acquire the key/cert from a globus myproxy 
>> server.
> 
>
> So how are you authenticating to the myproxy?
> It is not clear why you are trying to do all of this from the the pkcs11.
> It sounds like it should be multiple operations. Maybe via PAM.
> Are going to use the "pin" to authenticate to the myproxy?
> 

Yes I plan on using the pin. my rational for going the pkcs11 route is 
that it means that users will be able to acquire new credentials post 
login simply by running kinit. The password to the myproxy server is 
validated against an OTP server. If/when sometime down the road we shift 
to using smart cards for authentication rather than OTP fobs, it simply 
means that we swap out the myproxy/soft-pkcs11 library for one that 
actually interfaces with whatever smartcard we end up standardizing on.

multi module pam stacks work fine for initial login, but I don't know of 
a generic pam aware "acquire new credentials" application.

I'm open to alternate suggestions, but I think that the user experience 
of having kinit do the right thing without needing the user to 
explicitly take the myproxy step will be a win. I could just replace 
kinit with a script that does both kinit and myproxy, however if I can 
come up with a solution that just requires configuration changes to what 
will ultimately be the standard heimdal code/apps rather than replacing 
them with wrappers I'll be happier.


-Matt