Elementary PKINIT questions (MIT Kerberos/Linux configuration)
Jason White
jason at jasonjgw.net
Tue Mar 28 10:08:32 EDT 2023
On 28/3/23 09:24, Ken Hornstein wrote:
>
> You can specify the certificate exactly on the 'kinit' command line
> with the "-X X509_user_identity" option (this has the same format
> as the pkinit_identities option in krb5.conf). Now this option isn't
> supported for kadmin, but you can do:
>
> % kinit -X X509_user_identity=FILE:/tmp/foo.pem -S kadmin/admin jason/admin
>
> or
>
> % kinit -X X509_user_identity=FILE:/tmp/foo.pem -S kadmin/admin.host jason/admin
>
> Depending on the principal you are using for kadmind, and then you can use
> the "-c credential_cache" option to kadmin to use an existing credential
> cache.
Thank you - that worked as described, once I gave kadmin the correct
credentials cache.
> I have had success using a YubiKey 5 in PIV mode which also supports
> a bunch of other things like FIDO 2; I have no connection with Yubico
> other than as a user. Yubico provides a PKCS#11 module but in PIV mode
> you should be able to use any PKCS#11 module that supports PIV (this is
> very common). One advantage to a YubiKey is it is just USB and does not
> require a dedicated smartcard reader. Note that this is a lot of moving
> parts and probably will require a fair amount of fiddling.
Yes, exactly. I'm contemplating Yubikeys, however, for this and other
reasons.
More information about the Kerberos
mailing list