> Man pages and other supporting material is in the materials subdir of
> the case.
The documentation has come a long way since I last saw this.
Thanks. I've still not completed an understanding of
the opensc-project.org/pam_pkcs11/pam_pkcs11.html doc, so I
expect I may not grasp the whole thing yet. However, a few
comments and questions:
I wanted to point out that this work is a continuation of the
work our Summer Intern, Brendan O'Connor, started working with
Huie Ying. I promised him I'd add him to the interest and
have in the IAM file.
Nits:
* I presume when pam_pkcs11.5.sunman get's delivered into the
/usr/share/*/man tree it will be just .5. If not I'd like
to understand the precedence for the sunman suffix.
* The man pages are missing ATTRIBUTES sections.
* The DESCRIPTION of pkcs11_inspect and pkcs11_find still
refer to pam_pkcs11(8). The SEE ALSOs refer to pam_pkcs11(5)
as I'd expect, modulo the sunman thing above.
Questions:
1) pam_pkcs11(5) refers to opensc-project.org/pam_pkcs11/pam_pkcs11.html
for administrator documents. How is this project going to keep
in sync with the community? IMO, it would be appropriate to have
sufficient documentation within the Solaris docs areas so the
community docs are secondary to the Sun docs delivered for a
particular release. It would seem appropriate to have that
documentation as part of this case.
2) Huie Ying answered that the commuity version doesn't support
pam_acct_mgmt(). This seems like a common oversight and a
violation of the separation of authentication from account
validation that is part of the PAM architecture. I would think
that certificate validation (and CRL processing) would be
part of account validation. Why shouldn't that be and why
shouldn't Sun contribute that to the community?
3) What changes has Sun made (beyond sample configuration file
changes)? Are these being contributed back to the community?
4) Given that this is intended to replace the EOLed pam_smartcard,
I don't see sufficient Sun documentation (at least from what's
in this case) to guide me through how to use pam_pkcs11 to
replace pam_smartcard. I would have expected at least that
much detail as pam_smartcard was equivalent to a "Committed"
interface in the past and its use more or less well documented
in Sun documentation.
P.S. I'm looking forward to the removal of the closed pam_smartcard
and the project private interfaces in libpam that are there to
support pam_smartcard ;-)
5) To me, the documentation is unclear as to how to properly
configure pam.conf to use pam_pkcs11. Saying "add the
pam_pkcs11.so module to the /etc/pam.conf file as below:
login auth sufficient pam_pkcs11.so"
seems inadequate. Where should it be put in the default
delivered login stack?
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_unix_cred.so.1
login auth required pam_unix_auth.so.1
login auth required pam_dial_auth.so.1
How does it interact with other possible changes for
Kerberos in addition to Unix authentication?
Should it be stacked below pam_authtok_get?
Gary..
