Using PKINIT with ECC
Goetz Golla
mit at sec4mail.de
Fri Nov 24 03:41:09 EST 2023
On 11/19/23 18:33, Ken Hornstein wrote:
> However, I believe Yubico provides a PKCS#11 module for Yubikeys; have
> you tried that? The OpenSC people usually do a good job in terms of
> supporting a wide variety of cards but depending on how old the particular
> version of OpenSC you are using is you may be running into a compatibility
> issue.
>
> --Ken
Indeed the module provided by Yubico solved the issue. It is called
ykcs11 and is readily available in the linux package managers.
E.g. using
kinit -X X509_user_identity='PKCS11:libykcs11.so'
instead of
kinit -X X509_user_identity='PKCS11:opensc-pkcs11.so'
BUT with ykcs11 I got the following message in the trace
[14174] 1700562344.750583: PKINIT error: There are 3 certs, but there
must be exactly one.
[14174] 1700562344.750584: PKINIT client has no configured identity;
giving up
[14174] 1700562344.750585: Preauth module pkinit (16) (real) returned:
22/Invalid argument
This is hard to understand because there is only one certificate on the
Yubikey.
I solved this with the following line in /etc/krb5.conf
pkinit_cert_match = &&<SUBJECT>UID=.*CN=.*$<ISSUER>CN=YUBIKEY-CA${code}
The line matches our certificate, so there is only one left and kinit is
working now with ECC certificates.
But I am wondering if using pkinit_cert_match without really
understanding why I need it and what the other two certificates are is
such a good idea ?
More information about the Kerberos
mailing list