[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: pam_krb5 with PKINIT from Heimdal and MIT
Jeffrey Hutzelman wrote:
> On Friday, October 13, 2006 09:52:02 AM -0500 "Douglas E. Engert"
> <email@example.com> wrote:
>> The way PAM works today i.e. get a username and password
>> then call all the pam routines one at a time with the same password
> That's not how PAM works. It is up to individual PAM modules to request
> that the application prompt the user for a username, password, or other
> data. The framework provides a mechanism (the PAM_USER and PAM_AUTHTOK
> items) for caching and reusing the previously-entered username and/or
> password when appropriate, but it is up to individual modules to decide
> when to do this. For many modules, this behavior is controlled by the
> pam_first_pass and pam_try_first options.
I understand that it can be done the other way. Its just that in most
distributions its done with using the same authtok. Solaris 10 goes so far
as to use pam_authtok.so to prompt for "Password:" before any of the
individual modules do.
It practice, even on non-Solaris systems, what the user sees is "Password:"
and has no idea which password this is referring too. Multiple
"Password:" prompts could be a failed first password, with try_first_pass
and a second chance, or a second pam module prompting.
We have seen on some systems where Kerberos can be used, but the user uses
the local password that the Kerberos is tried first, and the W2K3
KDC logs a failure, and can turn off an account.
The pam_krb5-2.4 for example will use "Password: " and will
do pam_set_item(ctx->pamh, authtok, pass); just in case it is not the Kerberos
What I am asking is the vendors like, RedHat, Sun, Debian to look at these
other pam issues while looking at the pam_krb5 and Kerberos pre-auth and change
the default behavior such that it is obvious to the user what "Password:" is being
requested, as well as recognize that smart card readers with pin pads
can't use the "Password:" prompt.
> -- Jeff
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439