On Tue, Oct 27, 2009 at 04:47:00PM -0500, Will Fiveash wrote:
> On Thu, Oct 22, 2009 at 05:40:47PM +0100, Darren Moffat wrote:
> >
> > The concept seems reasonable but what will the prompts look like ?
>
> I've been doing some testing and I have a question in regards to the
> pkinit preauth plugin, libpkcs11 and the resulting prompting behavior.
> What I'm seeing is if the system is configured to try PKINIT in addition
> to password timestamp, a user will be prompted for a PIN like so:
>
> Sun Metaslot PIN:
>
> regardless of whether the user has a cert/key token in their PKCS11
> objectstore or not. This happens with both kinit and pam_krb5. This
> doesn't seem reasonable to prompt a user for a PIN in the case a token
> containing a cert/key does not exist. Thoughts?
More info: it appears that in pkinit_open_session() there is code
calling C_Initialize, C_GetSlotList, C_OpenSession, C_GetTokenInfo.
C_GetTokenInfo appears to set CKF_LOGIN_REQUIRED in the output object's
flags. This in turn causes the PIN prompt for a user that does not have
any cert token object in their softtoken objstore. I also see this code
in lib/pkcs11/pkcs11_softtoken/common/softSlotToken.c:C_GetTokenInfo()
pInfo->flags = SOFT_TOKEN_FLAGS | token_flag;
where SOFT_TOKEN_FLAGS is:
#define SOFT_TOKEN_FLAGS CKF_RNG|\
CKF_USER_PIN_INITIALIZED|\
CKF_LOGIN_REQUIRED|\
^^^^^^^^^^^^^^^^^^
CKF_RESTORE_KEY_NOT_NEEDED|\
CKF_DUAL_CRYPTO_OPERATIONS|\
CKF_TOKEN_INITIALIZED
Is this a Solaris PKCS11 bug? Note, the user did a pktool setpin
earlier.
--
Will Fiveash
Sun Microsystems Inc.
http://opensolaris.org/os/project/kerberos/
Sent from mutt, a sweet ASCII MUA
