pam_krb5 with PKINIT from Heimdal and MIT

Douglas E. Engert deengert at
Fri Oct 6 12:44:15 EDT 2006

So while waiting for the pam_krb5-2.4 source to show up on, I am attaching the Heimdal pkinit mods for
pam-krb5-2.3 as a point of discussion. I would hope the MIT
and CITI people would comment on their pkinit API.

I have this running on Ubuntu Edgy, with opensc-0.11.1 using the
Heimdal 20061002 snapshot.  I am using a PIV smart card with a Windows
compatible cert, and W2k3 as the KDC.

  o the pam_krb5 is the one place the Heimdal and MIT pkinit APIs come
    in contact. I have not seen what the CITI people have proposed. Depending
    on commonality of the APIs, parts of this code may need to be moved
    to compat_heimdal.c

  o The code depends on the hx509_err.h, as it tests for two error codes.
    i.e. no card readers found and no card in any reader. I sent a bug report
    to the Heimdal list on this today, suggesting that these should be KRB5_
    error codes and should be in the MIT code as well.

  o Three new pam options are added:
       use_pkinit - only do pkinit authentication, don't do password
       try_pkinit - try for pkinit, and if no card or reader, try password.
       pk_user=   - the pk_user parameter as passed to the pkinit code.
             for example: pk_user=PKCS11:/usr/lib/
             With a smart card this is always the same.

  o The thinking is if the user puts in a smart card, try and use it.
    If no card is present use passwords as before. If they put in a card
    and it fails, don't fall back to password, make them take the card
    out first.

  o The user is expected to type in a username to PAM, unlike Windows
    that expects the UPN to be in the certificate. Future certificates
    should not be expected to contain realm specific information.

  o I chose to copy the pamk5_password_auth routine and rename it
    pamk5_pkinit_auth, and cut out what was not needed. There is a lot
    of duplicate code between the two. This was the easy way, as
    I have not seen the MIT pkinit API.

  o The Heimdal code uses the  krb5_get_init_creds_opt_alloc to
    allocate the opts structure, rather then having the structure
    defined on the stack. In any case the same opts can not be used
    for pkinit and if it fails for password. A separately initialized
    opts structure in needed.

  o Since the Heimdal default it to compile in pkinit, or at least
    a stub for it, this pkinit code can be compiled into pam_krb5
    by default. I would hope the MIT code would do something similar.

  o To compile pam_krb5-2.3 with this patch, you also need the mods I
    sent in as a bug yesterday #391276, that you have fixed in 2.4.

> Matthijs, provided that I didn't mess something up again, this should fix
> the compilation problems with Heimdal, including the couple of warnings
> that were showing up in the buildd logs.
> BTw, Bug#269457 against libpam-heimdal was also fixed in pam-krb5 2.0.


  Douglas E. Engert  <DEEngert at>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: pam-krb5-2.3-20061002.txt

More information about the krbdev mailing list