Reg: pkinit with smartcard on kerberos V5
Lohit Valleru
lohitv9 at gmail.com
Tue Feb 26 16:39:46 EST 2013
Dear Community,
I assume, i have mailed to the right community list for these kind of
questions. If i have mailed to the wrong location - may i please ask for
the respective mailing address.
I am a system administrator for a high performance cluster, and I am
thinking of setting up a smartcard authentication with kerberos.
I have already completed kerberos authentication implementation for users
of the cluster,through kinit and gssapi.
These are the steps that i have followed to setup pkinit with smartcard.
1. I have created a CA to issue the CA certificates, CAkey and use those to
create the KDC certificates and Client certificaties as mentioned in the
below link .
http://web.mit.edu/kerberos/krb5-current/doc/admin/pkinit.html
2. However, in order to use smartcard along with PAM and kerberos
authentication - i need to use the CAs given by our organization for the
smart card, for which we do not have the CA key.
My question is : If we have to use the same CA for KDC, Client and
Smartcard certificates? or if we could mention 2 different CA's to KDC for
KDC,Client certificates and Smartcard certicate?
In that way, It would be helpful - If KDC could use a self-generated CA
certificate for the KDC and Client certificate, while it will use the
Smartcard CA certificate for user login authentication with smart card.
Also, may i know how we kinit using smartcard - in order to debug if the
issue is with PAM login attempt or kerberos authentication.
I would be happy to hear from you.
Thank you
Lohit
More information about the Kerberos
mailing list