pkinit updates

Jeffrey Hutzelman jhutz at
Tue Dec 19 17:42:43 EST 2006

On Tuesday, December 19, 2006 04:13:23 PM -0600 Nicolas Williams 
<Nicolas.Williams at> wrote:

> On Mon, Dec 18, 2006 at 07:38:46PM -0500, Jeffrey Hutzelman wrote:
>> How about looking for one with a certificate whose PKINIT SAN matches
>> the  principal?  I would certainly see that as useful for some
>> deployments.
> Not generally good enough: what if multiple certs exist on the card that
> have PKINIT SANs?

You use the one whose SAN matches your principal name.  If there is more 
than one, you use the first one, or prompt the user.  Of course, even that 
only helps if the certs in question have PKINIT SAN's, and a lot of them 

Really, there are two completely different sets of uses here.

(1) Using tools like kinit to obtain tickets

(2) Using tools like login to gain access to a machine.

In case (1), you cannot assume that the workstation administrator knows 
anything about selecting the correct credentials.  Since the Kerberos 
library may be invoked in case (1), it can't make any assumptions either. 
In particular, credential selection cannot be based entirely on 
preconfiguration, because the person configuring your workstation doesn't 
know anything about my token or realm.  On the other hand, the UI can be 
rich enough to allow the user to specify odd things like a slot number or 
label name without requiring them to do so in every case.

In case (2), you can probably assume that the workstation administrator 
knows something about what is going on.  He knows how the workstation is 
configured, what devices are present (to some extent), and he knows what 
kind of cards or tokens his users have and how they are configured (though 
he may not have any control over that).  So the workstation admin may be 
able to usefully specify use of a particular slot, or of the cert with a 
particular label or SAN or DN.  Depending on the deployment, he may even be 
able to specify enough that you can get the behavior Love described - user 
walks up to his machine, inserts his smartcard, types his PIN, and gets 
logged in without ever giving a username.

What the Kerberos library needs to do is make few enough hard assumptions 
that (1) is possible for arbitrary realms where the local admin has no 
prior knowledge of the "right thing", while also providing an interface 
rich enough that an application or PAM module can do (2), possibly in a 
highly site-dependent way.

-- Jeff

More information about the krbdev mailing list