windows and smartcards

Ken Hornstein kenh at cmf.nrl.navy.mil
Wed May 4 19:40:48 EDT 2022


>i was wondering if the question listed in the link below was ever answered
>and if not, i was hoping you could provide please.
>https://mailman.mit.edu/pipermail/kerberos/2010-September/016423.html

I can provide a quick summary:

- Current stock MIT Kerberos for Windows does not support pkinit (that's
  what you need to use Smartcards).

- People I work with have adapted the stock MIT Kerberos PKINIT plugin
  to work on Windows.

- We've talked with MIT about contributing this code back; it proceeds
  in fits and starts.  The last hold-up was getting a C language regular
  expression library with an acceptable license for MIT (I didn't
  think this would be a problem, but it turns out that it is).  We use
  a PCRE library for our distribution but that has it's own issues.
  Unfortunately the developers on that project lost their contract and
  there aren't currently resources to push that forward into something
  that MIT would find acceptable.

- To answer the specific question in that email message: stock MIT Kerberos
  works fine with PKINIT under OS X.  If you want to use it with
  Smartcards, you need a compatible PKCS#11 library.  If you are using
  the native smartcard support on OS X (which at the moment only
  supports PIV cards as far as I know), you can use Keychain-PKCS11.
  For other smartcards you could probably use OpenSC which provides
  a PKCS#11 library and support for smartcards that OS X does not
  support natively.  In the interests of full disclosure: I wrote
  Keychain-PKCS11 so I am obviously biased toward it.

--Ken


More information about the Kerberos mailing list