windows and smartcards

Prabin Tamang prabintamang1040 at gmail.com
Thu May 5 01:11:52 EDT 2022 

gotcha, thank you very much for all the help.
I guess just out of curiosity:
- for windows: there are other tools such as heimdall and microsoft
kerberos. with those I don't know if you ever played around with them or
know if they support smartcard and pin authentication to get a ticket
manually.
manually meaning, get a ticket for a specified account with the use of
kinit or similar tools..

Prabin

On Wed, May 4, 2022 at 10:00 PM Ken Hornstein <kenh at cmf.nrl.navy.mil> wrote:

> >for more information on this"
> >- People I work with have adapted the stock MIT Kerberos PKINIT plugin
> >  to work on Windows.
> >
> >Do you have any sort of documentation that you can point me to on how to
> >make this work with windows. And also Mac as, we also have Mac users.
>
> Unfortunately, no (at least, not on Windows).
>
> We compile our own Kerberos kit for Windows, which have the changes in
> it to build the PKINIT plugin.  Actually, I believe it's worse than
> that; from memory I believe we have a separate PKINIT plugin directory.
> And ... the build environment is a huge mess there.  I don't recall that
> the code changes are large (I didn't do them), but you do need to source
> a windows-compatible regular expression library.  One of my long term
> goals is to get us using as much stock MIT code as possible, but I never
> did work out getting our changes to PKINIT to make it functional on Windows
> into stock MIT Kerberos.  So, I can't really help you there.
>
> >Currently, my main focus is on windows machines, so, the steps I have done
> >to try to authenticate with a smartcard:
> >1. install MIT kerberos
> >2. Install opensc-pkcs11
> >3. use the following commands in the hope that it will use smartcard:
> >kinit -X x509_user_identity=PKCS11:path_to_PKCS11.dill
>
> Right, I think you'll have more success with this on MacOS X.  The code
> for Windows simply doesn't exist, at least in vanilla MIT Kerberos.  There
> are a lot of pieces you need to make PKINIT work, so I'd start with a
> platform where it at least is known to work.
>
> --Ken
>


-- 
Thank you,
Prabin Tamang

More information about the Kerberos mailing list