Using PKINIT with ECC

Goetz Golla mit at sec4mail.de
Fri Nov 24 03:41:09 EST 2023


On 11/19/23 18:33, Ken Hornstein wrote:
> However, I believe Yubico provides a PKCS#11 module for Yubikeys; have
> you tried that?  The OpenSC people usually do a good job in terms of
> supporting a wide variety of cards but depending on how old the particular
> version of OpenSC you are using is you may be running into a compatibility
> issue.
>
> --Ken

Indeed the module provided by Yubico solved the issue. It is called 
ykcs11 and is readily available in the linux package managers.

E.g. using

  kinit -X X509_user_identity='PKCS11:libykcs11.so'

instead of

  kinit -X X509_user_identity='PKCS11:opensc-pkcs11.so'

BUT with ykcs11 I got the following message in the trace

[14174] 1700562344.750583: PKINIT error: There are 3 certs, but there 
must be exactly one.
[14174] 1700562344.750584: PKINIT client has no configured identity; 
giving up
[14174] 1700562344.750585: Preauth module pkinit (16) (real) returned: 
22/Invalid argument

This is hard to understand because there is only one certificate on the 
Yubikey.

I solved this with the following line in /etc/krb5.conf

  pkinit_cert_match = &&<SUBJECT>UID=.*CN=.*$<ISSUER>CN=YUBIKEY-CA${code}

The line matches our certificate, so there is only one left and kinit is 
working now with ECC certificates.

But I am wondering if using pkinit_cert_match without really 
understanding why I need it and what the other two certificates are is 
such a good idea ?




More information about the Kerberos mailing list