Elementary PKINIT questions (MIT Kerberos/Linux configuration)

Jason White jason at jasonjgw.net
Tue Mar 28 10:08:32 EDT 2023


On 28/3/23 09:24, Ken Hornstein wrote:
>
> You can specify the certificate exactly on the 'kinit' command line
> with the "-X X509_user_identity" option (this has the same format
> as the pkinit_identities option in krb5.conf).  Now this option isn't
> supported for kadmin, but you can do:
>
> % kinit -X X509_user_identity=FILE:/tmp/foo.pem -S kadmin/admin jason/admin
>
> or
>
> % kinit -X X509_user_identity=FILE:/tmp/foo.pem -S kadmin/admin.host jason/admin
>
> Depending on the principal you are using for kadmind, and then you can use
> the "-c credential_cache" option to kadmin to use an existing credential
> cache.


Thank you - that worked as described, once I gave kadmin the correct 
credentials cache.

> I have had success using a YubiKey 5 in PIV mode which also supports
> a bunch of other things like FIDO 2; I have no connection with Yubico
> other than as a user.  Yubico provides a PKCS#11 module but in PIV mode
> you should be able to use any PKCS#11 module that supports PIV (this is
> very common).  One advantage to a YubiKey is it is just USB and does not
> require a dedicated smartcard reader.  Note that this is a lot of moving
> parts and probably will require a fair amount of fiddling.
Yes, exactly. I'm contemplating Yubikeys, however, for this and other 
reasons.


More information about the Kerberos mailing list