pkinit updates

Douglas E. Engert deengert at
Wed Dec 13 14:12:10 EST 2006

Nicolas Williams wrote:

> On Tue, Dec 12, 2006 at 04:35:34PM -0500, Jim Rees wrote:
>>I thought about allowing you to specify a token label, and I may do that if
>>I have time.
> Using token labels would allow users to establish token naming
> conventions that provide a reasonable default for PKINIT clients.
> This would be useful -- who wants to train users on how to use this -X
> option?  And anyways, a PAM PKINIT-able module would need to be able to
> find the right token with minimal configuration and interaction.

I don't believe the user will even see the -X and options with a smartcard.
they are pretty much dictated by the admin and could be in the krb5.conf.
X509_user_identity= is the only one that chnages, but for a smartcard
it too is prety much fixed: PKCS11:module_name:slotno and could be in
krb5.conf or at least pam.conf

Even with file based credentials, I saw in a previous note that the Globus
user proxy cert and key names (/tmp/x509up_<xxx>) where being used in one
of the tests. The user proxy would normally be pointed at by X509_USER_PROXY,
(session based delegated credentials) and if no proxy was available
X509_USER_CERT and X509_USER_KEY would point at the user's long term
cert and key, or ~/.globus/usercert.pem, ~/.globus/userkey.pem would
by used as the last default.

So could the krb5.conf have some way to specify a list of
X509_user_identity= entries to try? Like PKCS11 first if there is a
reader, card, then a proxy, then default files in the home directory?


[pam_krb5_console] ( i.e. gdm, only use smartard)

[pam_krb5_globus_sshd]  (i.e. Globus auth and delegation of proxy, get local krb5 creds)

> Nico


  Douglas E. Engert  <DEEngert at>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the krbdev mailing list