[15781] in Kerberos_V5_Development
Re: a suggestion for improving pkinit preauth plugin token choosing
daemon@ATHENA.MIT.EDU (Will Fiveash)
Mon May 10 18:39:32 2010
Date: Mon, 10 May 2010 17:39:26 -0500
From: Will Fiveash <will.fiveash@oracle.com>
To: Sam Hartman <hartmans@mit.edu>
Message-ID: <20100510223926.GA27726@sun.com>
Mail-Followup-To: Sam Hartman <hartmans@mit.edu>,
kerberos-discuss <kerberos-discuss@opensolaris.org>,
MIT Kerberos Dev List <krbdev@mit.edu>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <tsl7hncun7h.fsf@mit.edu>
Cc: kerberos-discuss <kerberos-discuss@opensolaris.org>,
MIT Kerberos Dev List <krbdev@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
On Mon, May 10, 2010 at 05:21:06AM -0400, Sam Hartman wrote:
> I agree that what you propose is an improvement over the current
> algorithm.
>
> I'm uncomfortable with two things.
>
> 1) No way at all to deal with tokens that require login. I wouldn't
> mind if this needed to be explicitly enabled. I think what the
> discussions so far have suggested is that we know of no smart cards
> falling into this category especially because they will not work with
> the MS model, but we do know of non-smart-card PKCS11 devices falling
> into this category.
The current token selection criteria in krb5.conf does allow filtering
on slot-id and token-label which do not require login (I believe). Is
this enough to allow use of tokens that require login to access certs?
What I'm thinking is that specifying just this criteria avoids the issue
of what to do if cert matching criteria is also specified but the token
requires login to discover/access the cert. If slot-id and or
token-label criteria is all that is provided then my algorithm would
work for tokens requiring login for cert access since there would either
be 0, 1 or > 1 tokens that match. If slot-id/token-label criteria isn't
enough then is a new krb5.conf parameter needed?
> 2) Prompting user to insert smart card if none are found.
>
> I think I'm in the rough on #2.
Given the admin is required to modify krb5.conf to enable PKINIT and
smart cards are removable I would think that the expectation is that
pkinit should prompt once for the smartcard/token if there are no token
matches.
Note that the prompt that we came up with is:
"If you have a smart card insert it now. Press enter to continue: "
The intention is to to indicate to the user that they either need to
insert a smart card and press enter or just press enter if they don't.
> Neither of these are blocking issues.
Got it.
--
Will Fiveash
Oracle
Note my new work e-mail address: will.fiveash@oracle.com
http://opensolaris.org/os/project/kerberos/
Sent using mutt, a sweet text based e-mail app: http://www.mutt.org/
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev