pkinit-nss.

Patrik Martinsson Patrik.Martinsson at smhi.se
Fri May 7 05:36:10 EDT 2010


Hello,

I'm curios about the pkinit-nss native support in kerberos > 1.6.3.
Maybe I'm wrong here, but as I understand it I should not need the 
pkinit-nss
plugin (http://git.fedorahosted.org/git/?p=pkinit-nss.git), as this is 
supposed to
be inbuilt in kerberos. However I can't get the "inbuilt" pkinit-nss to 
work, and when im looking
quickly thgough the source, i cant really see anything about nss (im not an
experienced programmer, so i could definitly miss something).

So question is,
is pkinit-nss inbuilt in kerberos nowdays, and if so how do i configure it ?

Today ive tried with the line, (as a start, to see if smartcardlib even 
gets called)
pkinit_identities = PKCS11:/path_to_my_smartcardlib

Just of curiousity ive runned kinit with strace and tried to look for 
calls to that lib,
but i cant see anything at all relating to that smartcardlib.

My working config, with pkinit-nss plugin is as follows,
allow_pkinit = yes
pkinit = {
     pkinit_cert_match = condition
     pkinit_kdc_hostnamepkinit_eku_checking
     is_hw = yes
}

Again, sorry if im missing something, any help appriciated.

Best Regards,
Patrik Martinsson, Sweden.



More information about the Kerberos mailing list