pkinit-nss.
Nalin Dahyabhai
nalin at redhat.com
Mon May 10 16:59:04 EDT 2010
On Fri, May 07, 2010 at 11:36:10AM +0200, Patrik Martinsson wrote:
> I'm curios about the pkinit-nss native support in kerberos > 1.6.3.
> Maybe I'm wrong here, but as I understand it I should not need the
> pkinit-nss
> plugin (http://git.fedorahosted.org/git/?p=pkinit-nss.git), as this is
> supposed to
> be inbuilt in kerberos. However I can't get the "inbuilt" pkinit-nss to
> work, and when im looking
> quickly thgough the source, i cant really see anything about nss (im not an
> experienced programmer, so i could definitly miss something).
They're two different code bases -- pkinit-nss was mainly useful before
1.6.3 was released, and if you're using 1.6.3 or anything later, I'd
recommend just using the version that's incorporated into the Kerberos
distribution.
> Today ive tried with the line, (as a start, to see if smartcardlib even
> gets called)
> pkinit_identities = PKCS11:/path_to_my_smartcardlib
This goes in the [libdefaults] section of krb5.conf. If I'm remembering
it right, you also have to specify a "pkinit_anchors" value at minimum.
> Just of curiousity ive runned kinit with strace and tried to look for
> calls to that lib,
> but i cant see anything at all relating to that smartcardlib.
On Fedora, at least, the plugin's in a separate subpackage, so if you're
using a binary package, you might want to double-check that you have the
plugin on your system (/usr/lib*/krb5/plugins/preauth/pkinit.so).
HTH,
Nalin
More information about the Kerberos
mailing list