kpp <krayn...@km.ru> writes:
> Please add no_subsequent_prompt option to pam_krb5. This option is
> implemented in redhat and very useful.
> auth required pam_env.so
> auth [success=ok ignore=2 authinfo_unavail=2 default=die]
> pam_pkcs11.so card_only
> auth [default=ignore] pam_krb5.so no_initial_prompt
> auth sufficient pam_permit.so
> auth sufficient pam_krb5.so
> auth required pam_deny.so
> This pam configuration allows authorization by username/password with
> obtaining kerberos ticket ONLY if smartcard is not inserted.
> If smartcard is inserted, authorization is possible ONLY by pkcs11 and
> kerberos ticket is obtained by pam_krb5 using certificate without asking
> PIN again.
> I am unable to create the same configuration using pam_krb5 with
> try_pkinit option because of pam_krb5 will ask password if pkinit failed
> due invalid PIN.
Thanks for the report! It looks like what needs to happen to make this
work is to switch to the krb5_responder API for MIT Kerberos, which allows
the module to distinguish between the different types of things the
library is asking for and reject ones other than the PKINIT PIN.
Note that this pam_krb5 will spell this option use_pkinit, which already
exists and works with Heimdal, but is not currently supported with MIT
Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/>