pkinit updates

Douglas E. Engert deengert at
Tue Dec 19 10:11:22 EST 2006

Jeffrey Hutzelman wrote:

>>>   But what's the principal?
>>> It's the one the user gave on the kinit command line, and passed down
>>> through init_creds.  Or PAM equivalent.  Are you suggesting we should
>>> try to guess the principal and realm when it hasn't been specified?  
>>> How?
>> One does not tell PAM what one's principal is
> That depends on one's PAM module.  But currently, if one's PAM module 
> does not provide a way to specify the principal, then it must infer it 
> from PAM_USER. 

Is now the time to get Russ to add a prompt for principal to his
pam? Its someting that has ben missing for years.

> The same goes for kinit.  If a smartcard or token is in 
> use, it might be interesting to enumerate the credentials on the card 
> that might be appropriate for PKINIT and use one, especially if you 
> could examine the corresponding principal names and do the authorization 
> checks in advance, so the user doesn't have to pick the "right" 
> principal.  But the Kerberos API currently provides no way to do this, 
> so an application that wants to do so must be PKCS11-aware.

Well, the prompter can do this, and that is part of the API,
So the preauth could  use the prompter, evne through kinit
or pam.

> -- Jeff


  Douglas E. Engert  <DEEngert at>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the krbdev mailing list