Pkinit & Client side errors

Nebergall, Christopher cneberg at
Mon May 21 15:59:25 EDT 2007

I was playing with the latest pkinit source branch I'm curious about
errors which occur on the client (kinit) side.

If I get my PIN wrong to my smart card, it just continues and asks for a
static password next.  It doesn't give an error saying the PIN was wrong
or give me a chance to retry.  

Also, I've tried using a smart card with an expired certificate.   The
client can't create a valid cert chain so it doesn't contact the server,
but it fails silently to asking for a static password.

When the server doesn't trust my client side certificate, it does give
an understandable error.  So there does seem to be a mechanism for
protocol errors.

Any plans for being more user friendly to client side errors?


More information about the krbdev mailing list