[15807] in Kerberos_V5_Development
Re: a suggestion for improving pkinit preauth plugin token choosing
daemon@ATHENA.MIT.EDU (Greg Hudson)
Wed May 12 15:03:47 2010
From: Greg Hudson <ghudson@mit.edu>
To: "Henry B. Hotz" <hotz@jpl.nasa.gov>
In-Reply-To: <68359A5E-03EA-4ED1-84C4-DDBE174BD930@jpl.nasa.gov>
Date: Wed, 12 May 2010 15:03:44 -0400
Message-ID: <1273691024.2419.31.camel@ray>
Mime-Version: 1.0
Cc: "krbdev@mit.edu" <krbdev@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
On Wed, 2010-05-12 at 13:13 -0400, Henry B. Hotz wrote:
> If it "fails" then you can return a meaningful error message that
> tells the user how to do it over so it works. You can say "I couldn't
> find any smart cards.", or "I found the following credentials and I
> don't know which one to use. Please remove the extras and try
> again.", or "Please call extension HELP.", or even "Please call
> security to have yourself arrested because you are a dangerous
> terrorist." ;-)
Nico and Will pointed out that PAM makes it difficult to display a
useful error message on failure. The preauth framework also makes it
difficult. If PKINIT fails, it's hard for the framework to be smart
enough to know that it "should have" succeeded, so it will tend to go on
to try other things (which will also fail).
You can see similar problems with ssh. Negotiation and fallback
mechanisms tend to come at a cost of failure-case usability.
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev