[15813] in Kerberos_V5_Development
Re: a suggestion for improving pkinit preauth plugin token choosing
daemon@ATHENA.MIT.EDU (Henry B. Hotz)
Wed May 12 17:12:48 2010
Mime-Version: 1.0 (Apple Message framework v1078)
From: "Henry B. Hotz" <hotz@jpl.nasa.gov>
In-Reply-To: <20100512192108.GD26150@sun.com>
Date: Wed, 12 May 2010 14:12:38 -0700
Message-Id: <0B3F84D3-DB54-47B5-A7F7-5B04AF852697@jpl.nasa.gov>
To: Will Fiveash <will.fiveash@oracle.com>
Cc: "krbdev@mit.edu" <krbdev@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
OK, I get it. *sigh* The layering makes it hard.
TNSTAAFL
On May 12, 2010, at 12:21 PM, Will Fiveash wrote:
> On Wed, May 12, 2010 at 03:03:44PM -0400, Greg Hudson wrote:
>> On Wed, 2010-05-12 at 13:13 -0400, Henry B. Hotz wrote:
>>> If it "fails" then you can return a meaningful error message that
>>> tells the user how to do it over so it works. You can say "I couldn't
>>> find any smart cards.", or "I found the following credentials and I
>>> don't know which one to use. Please remove the extras and try
>>> again.", or "Please call extension HELP.", or even "Please call
>>> security to have yourself arrested because you are a dangerous
>>> terrorist." ;-)
>>
>> Nico and Will pointed out that PAM makes it difficult to display a
>> useful error message on failure. The preauth framework also makes it
>> difficult. If PKINIT fails, it's hard for the framework to be smart
>> enough to know that it "should have" succeeded, so it will tend to go on
>> to try other things (which will also fail).
>
> Right, and while it's true that a PAM app that logs a user into a system
> will typically try the auth stack again, unless the user is given an
> indication that something in the auth stack needs their smart card,
> things will continue to fail. Given the layering, framework constraints
> and the fact that currently it's the pkinit plugin that consumes the
> token/cert matching criteria in krb5.conf it seems like it is the best
> place to indicate to the user what it's looking for. And I think this
> is would be true for other preauth plugins.
>
> --
> Will Fiveash
> Oracle
> Note my new work e-mail address: will.fiveash@oracle.com
> http://opensolaris.org/os/project/kerberos/
> Sent using mutt, a sweet text based e-mail app: http://www.mutt.org/
------------------------------------------------------
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev