Will Fiveash wrote: > On Thu, Oct 22, 2009 at 05:40:47PM +0100, Darren Moffat wrote: >> The concept seems reasonable but what will the prompts look like ? > > I've been doing some testing and I have a question in regards to the > pkinit preauth plugin, libpkcs11 and the resulting prompting behavior. > What I'm seeing is if the system is configured to try PKINIT in addition > to password timestamp, a user will be prompted for a PIN like so: > > Sun Metaslot PIN: > > regardless of whether the user has a cert/key token in their PKCS11 > objectstore or not. This happens with both kinit and pam_krb5. This > doesn't seem reasonable to prompt a user for a PIN in the case a token > containing a cert/key does not exist. Thoughts?
Sounds like an issue but not one that this cases introduced, especially since it happens with kinit already. So while I agree it isn't nice I don't think this case should be tasked with fixing it given that is already the behaviour we have and that pam_krb5 isn't in the default stack for the initial login programs (ie gdm and /bin/login). So lets take this offline from this case and see what we can do about it. -- Darren J Moffat
