On Thu, Oct 22, 2009 at 05:40:47PM +0100, Darren Moffat wrote: > > The concept seems reasonable but what will the prompts look like ?
I've been doing some testing and I have a question in regards to the pkinit preauth plugin, libpkcs11 and the resulting prompting behavior. What I'm seeing is if the system is configured to try PKINIT in addition to password timestamp, a user will be prompted for a PIN like so: Sun Metaslot PIN: regardless of whether the user has a cert/key token in their PKCS11 objectstore or not. This happens with both kinit and pam_krb5. This doesn't seem reasonable to prompt a user for a PIN in the case a token containing a cert/key does not exist. Thoughts? -- Will Fiveash Sun Microsystems Inc. http://opensolaris.org/os/project/kerberos/ Sent from mutt, a sweet ASCII MUA
