pkinit slotid=N ?

[Nicolas Williams]

IIRC we discussed this in the past.

One possibility is to search the token for a suitable cert and use the
first one found that can be used successfully.  Another is to use all
the certs that can be used successfully and store all the resulting TGTs
in the same ccache -- pick a default principal name for the ccache
however you like :) (e.g., the first cert's).

There's a pam_pkcs11 module that does just that sort of thing.  It looks
at each cert it can find in the token until it finds one that a) maps to
the given PAM_USER, b) corresponds to the associated private key, and c)
is neither expired, nor revoked, and valid to a given trust anchor.  If
that works for pam_pkcs11, why not for pam_krb5?

Nico
--