Bug#871699: libpam-krb5: Add no_subsequent_prompt option

2017-08-10 Thread Russ Allbery 
kpp  writes:

> Please add no_subsequent_prompt option to pam_krb5. This option is
> implemented in redhat and very useful.

> Example:

> authrequired  pam_env.so
> auth[success=ok ignore=2 authinfo_unavail=2 default=die]
> pam_pkcs11.so card_only
> auth[default=ignore]  pam_krb5.so no_initial_prompt
> no_subsequent_prompt
> authsufficientpam_permit.so
> authsufficientpam_krb5.so
> authrequired  pam_deny.so

> This pam configuration allows authorization by username/password with
> obtaining kerberos ticket ONLY if smartcard is not inserted.
> If smartcard is inserted, authorization is possible ONLY by pkcs11 and
> kerberos ticket is obtained by pam_krb5 using certificate without asking
> PIN again.

> I am unable to create the same configuration using pam_krb5 with
> try_pkinit option because of pam_krb5 will ask password if pkinit failed
> due invalid PIN.

Thanks for the report!  It looks like what needs to happen to make this
work is to switch to the krb5_responder API for MIT Kerberos, which allows
the module to distinguish between the different types of things the
library is asking for and reject ones other than the PKINIT PIN.

Note that this pam_krb5 will spell this option use_pkinit, which already
exists and works with Heimdal, but is not currently supported with MIT
Kerberos.

-- 
Russ Allbery (r...@debian.org)

Bug#871699: libpam-krb5: Add no_subsequent_prompt option

2017-08-10 Thread kpp 

Package: libpam-krb5
Version: 4.7-4
Severity: normal

Dear Maintainer,

Please add no_subsequent_prompt option to pam_krb5. This option is 
implemented in redhat and very useful.


Example:

authrequired  pam_env.so
auth[success=ok ignore=2 authinfo_unavail=2 default=die] 
pam_pkcs11.so card_only
auth[default=ignore]  pam_krb5.so no_initial_prompt 
no_subsequent_prompt

authsufficientpam_permit.so
authsufficientpam_krb5.so
authrequired  pam_deny.so

This pam configuration allows authorization by username/password with 
obtaining kerberos ticket ONLY if smartcard is not inserted.
If smartcard is inserted, authorization is possible ONLY by pkcs11 and 
kerberos ticket is obtained by pam_krb5 using certificate without asking 
PIN again.


I am unable to create the same configuration using pam_krb5 with 
try_pkinit option because of pam_krb5 will ask password if pkinit failed 
due invalid PIN.


-- System Information:
Debian Release: 9.1
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=ru_RU.UTF-8, LC_CTYPE=ru_RU.UTF-8 (charmap=UTF-8), 
LANGUAGE=ru_RU.UTF-8 (charmap=UTF-8)

Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages libpam-krb5 depends on:
ii  krb5-config 2.6
ii  libc6   2.24-11+deb9u1
ii  libkrb5-3   1.15-1
ii  libpam-runtime  1.1.8-3.6
ii  libpam0g1.1.8-3.6

libpam-krb5 recommends no packages.

libpam-krb5 suggests no packages.

-- no debconf information