pkinit updates

Douglas E. Engert deengert at anl.gov
Tue Dec 12 14:07:28 EST 2006 

OK, did the svn update, and  the -X works well with
kinit and a smartcard.

You used to have the environment variable:
  PKCS11=<module>:<slot>

But with the new -X X509_user_identity=PKCS11:<module>
you no longer have a way to pass the slot (or the ID).

You should have a way to specify the slot, and the id
as used with the CKA_ID for the cert and key.


I will try an look at adding the get_init_creds_opt_set_pa
call in pam_krb5.


Kevin Coffman wrote:

> On 12/8/06, Douglas E. Engert <deengert at anl.gov> wrote:
> 
>>
>> I dont see the updates I got the original source using:
>> snv checkout svn://anonsvn.mit.edu/krb5/users/coffman/pkinit
> 
> 
> I've updated my pkinit branch with the get_init_creds_opt_set_pa()
> changes, as well as other changes.  Here is the commit message:
> 
>  Pull in changes for the extended get_init_creds_opt structure.
> 
>  Pull in changes to add get_init_creds_opt_set_pa(),
>    get_init_creds_opt_get_pa(), and get_init_creds_opt_free_pa()
> 
>  Change client interface to pass in the get_init_creds_opt structure
>    to the process and tryagain functions.
> 
>  Pull in changes to kinit to pass preauth options entered with "-X"
> 
>  Create typedefs for all the preauth plugin client and server
>    interface functions and use them.  Eliminates mismatches
>    and enables better type checking of the interface paremeters.
> 
>  Add *temporary* code to client side of pkinit to handle preauth options
>    and set the appropriate environment variables.
>    (Currently only X509_user_identity, X509_anchors, and
>    flag_RSA_PROTOCOL are handled.)
> 
>  Add code to use krb5int_accessor to obtain pointers to internal functions
>    for ASN.1 encode/decode routines rather than exporting them from
>    libkrb5.
> 
>  Various updates and improvements in the pkinit smartcard code.
> 
> Doug, this includes the heimdal compatibility function, but I'm not
> sure you can depend on it being there long-term.  The pkinit code
> currently only handles X509_user_identity, X509_anchors, and the
> flag_RSA_PROTOCOL.
> 
> The server still requires environment variables for now, but the
> client can be run with something like the following:
> 
> /kinit -X X509_user_identity=FILE:/tmp/x509up_u20010,/tmp/x509up_u20010 \
> -X X509_anchors=/etc/grid-security/certificates \
> kwc at KWCTEST.CITI.UMICH.EDU
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the krbdev mailing list