adding support to pkinit plugin for a PIN option?

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

adding support to pkinit plugin for a PIN option?

Will Fiveash-2
I would like to add support to the pkinit preauth plugin to support a
PIN option in the pkinit_identity_opts.  This would allow the Solaris
pam_krb5 to support PKINIT preauth by providing an interface it can use
to pass the PIN to the pkinit preauth plugin via:

krb5_get_init_creds_opt_set_pa(kcontext, opts, "PIN", *krb5_pass);

If the PIN option is set this way, the pkinit preauth plugin wouldn't
prompt the user for their PIN and would just use the PIN option.  This
allows pam_krb5 to use PAM compatible prompting to acquire the PIN.

I can submit changes for this as a pull request if that seems
reasonable.  Thoughts?

--
Will Fiveash
Oracle Solaris Software Engineer
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: adding support to pkinit plugin for a PIN option?

Greg Hudson
On 05/13/2014 07:52 PM, Will Fiveash wrote:
> I would like to add support to the pkinit preauth plugin to support a
> PIN option in the pkinit_identity_opts.

We have support for doing this already via the responder:


http://web.mit.edu/kerberos/krb5-latest/doc/appdev/init_creds.html#user-interaction

Does this work for you?  I know it's a little more complicated, but we
haven't traditionally conveyed authentication secrets through preauth
options.
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev