windows and smartcards

Prabin Tamang prabintamang1040 at gmail.com
Wed May 4 21:20:12 EDT 2022


Hi,

for more information on this"
- People I work with have adapted the stock MIT Kerberos PKINIT plugin
  to work on Windows.

Do you have any sort of documentation that you can point me to on how to
make this work with windows. And also Mac as, we also have Mac users.

Currently, my main focus is on windows machines, so, the steps I have done
to try to authenticate with a smartcard:
1. install MIT kerberos
2. Install opensc-pkcs11
3. use the following commands in the hope that it will use smartcard:
kinit -X x509_user_identity=PKCS11:path_to_PKCS11.dill

but I  have not been successful.

again, I am continuing this discussion because you mentioned that "people
have made it work with windows with the use of pkinit plugin".
and finally, I would like to say thank you very much for replying as this
was very helpful information.

Best,
Prabin

On Wed, May 4, 2022 at 7:40 PM Ken Hornstein <kenh at cmf.nrl.navy.mil> wrote:

> >i was wondering if the question listed in the link below was ever answered
> >and if not, i was hoping you could provide please.
> >https://mailman.mit.edu/pipermail/kerberos/2010-September/016423.html
>
> I can provide a quick summary:
>
> - Current stock MIT Kerberos for Windows does not support pkinit (that's
>   what you need to use Smartcards).
>
> - People I work with have adapted the stock MIT Kerberos PKINIT plugin
>   to work on Windows.
>
> - We've talked with MIT about contributing this code back; it proceeds
>   in fits and starts.  The last hold-up was getting a C language regular
>   expression library with an acceptable license for MIT (I didn't
>   think this would be a problem, but it turns out that it is).  We use
>   a PCRE library for our distribution but that has it's own issues.
>   Unfortunately the developers on that project lost their contract and
>   there aren't currently resources to push that forward into something
>   that MIT would find acceptable.
>
> - To answer the specific question in that email message: stock MIT Kerberos
>   works fine with PKINIT under OS X.  If you want to use it with
>   Smartcards, you need a compatible PKCS#11 library.  If you are using
>   the native smartcard support on OS X (which at the moment only
>   supports PIV cards as far as I know), you can use Keychain-PKCS11.
>   For other smartcards you could probably use OpenSC which provides
>   a PKCS#11 library and support for smartcards that OS X does not
>   support natively.  In the interests of full disclosure: I wrote
>   Keychain-PKCS11 so I am obviously biased toward it.
>
> --Ken
>


-- 
Thank you,
Prabin Tamang


More information about the Kerberos mailing list