Kerberos and smart cards
Russ Allbery
rra at stanford.edu
Fri Sep 27 13:05:28 EDT 2013
jarek <jarek at poczta.srv.pl> writes:
> I'm trying to setup kerberos with smart cards. I have working kerberos
> (krb5-kdc 1.10.1+dfsg-5+deb7u1) and one client on debian wheezy amd64.
> Kerberos is working fine with passwords. I have also ATHENA smart card
> environment working on client with pam-pkcs11. If I enable pam-pkcs11,
> client can login with card. I it is disabled, client is authenticated
> against kerberos with password.
The piece of your configuration that you didn't mention is your PAM
configuration. libpam-krb5 doesn't attempt PKINIT authentication by
default, so I suspect the problem may be that you didn't enable it.
Try adding try_pkinit to the pam_krb5.so configuration in the auth stack
and see if that changes the behavior.
I think it will pick up pkinit_identities from your [libdefaults], but if
not you may also have to set pkinit_user to that same value in the PAM
configuration.
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the Kerberos
mailing list