Recommended PKINIT Plug-In for Leopard?

Alexandra Ellwood lxs at MIT.EDU
Thu Apr 24 11:47:36 EDT 2008

On Apr 23, 2008, at 11:49 PM, Henry B. Hotz wrote:

> I can follow the UMICH links to a version that was to be integrated
> into the MIT distribution, and supposedly worked with 1.6.x.  If I can
> figure out how to get 1.7 development versions then I assume there is
> a version in there somewhere.  OSX 10.5.2 (current release) says it
> includes "Kerberos 5 release 1.6.2-postrelease".
> If I want to experiment with a PKINIT plugin that should work in
> 10.5.x, which version from where is recommended?
> (Heimdal PKINIT works just fine on OSX 10.5, but I have too much
> respect for the MIT distribution to want to wholesale replace it if I
> don't need to.)

Mac OS X Leopard has its own pkinit implementation written by Apple  
which does not use the plugin architecture.  If you are interested in  
using Apple's pkinit, look at how Back To My Mac stores its  
credentials.  It is using pkinit.

While I am not overly familiar with Apple's pkinit implementation, I  
believe it overrides any pkinit plugins.  So while you could build  
your own pkinit plugin, it probably wouldn't actually get run by the  
libraries that ship with Leopard.


Alexandra Ellwood <lxs at>
MIT Kerberos Consortium

More information about the krbdev mailing list