pkinit updates

Douglas E. Engert deengert at
Tue Dec 12 14:07:28 EST 2006

OK, did the svn update, and  the -X works well with
kinit and a smartcard.

You used to have the environment variable:

But with the new -X X509_user_identity=PKCS11:<module>
you no longer have a way to pass the slot (or the ID).

You should have a way to specify the slot, and the id
as used with the CKA_ID for the cert and key.

I will try an look at adding the get_init_creds_opt_set_pa
call in pam_krb5.

Kevin Coffman wrote:

> On 12/8/06, Douglas E. Engert <deengert at> wrote:
>> I dont see the updates I got the original source using:
>> snv checkout svn://
> I've updated my pkinit branch with the get_init_creds_opt_set_pa()
> changes, as well as other changes.  Here is the commit message:
>  Pull in changes for the extended get_init_creds_opt structure.
>  Pull in changes to add get_init_creds_opt_set_pa(),
>    get_init_creds_opt_get_pa(), and get_init_creds_opt_free_pa()
>  Change client interface to pass in the get_init_creds_opt structure
>    to the process and tryagain functions.
>  Pull in changes to kinit to pass preauth options entered with "-X"
>  Create typedefs for all the preauth plugin client and server
>    interface functions and use them.  Eliminates mismatches
>    and enables better type checking of the interface paremeters.
>  Add *temporary* code to client side of pkinit to handle preauth options
>    and set the appropriate environment variables.
>    (Currently only X509_user_identity, X509_anchors, and
>    flag_RSA_PROTOCOL are handled.)
>  Add code to use krb5int_accessor to obtain pointers to internal functions
>    for ASN.1 encode/decode routines rather than exporting them from
>    libkrb5.
>  Various updates and improvements in the pkinit smartcard code.
> Doug, this includes the heimdal compatibility function, but I'm not
> sure you can depend on it being there long-term.  The pkinit code
> currently only handles X509_user_identity, X509_anchors, and the
> The server still requires environment variables for now, but the
> client can be run with something like the following:
> /kinit -X X509_user_identity=FILE:/tmp/x509up_u20010,/tmp/x509up_u20010 \
> -X X509_anchors=/etc/grid-security/certificates \


  Douglas E. Engert  <DEEngert at>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the krbdev mailing list