pkinit slotid=N ?

Douglas E. Engert deengert at
Wed Jan 9 10:16:46 EST 2008

Nicolas Williams wrote:
> IIRC we discussed this in the past.

Yes we have but there has never been a good solution.

> One possibility is to search the token for a suitable cert and use the
> first one found that can be used successfully. 

So how is successful determined? If you mean try and authenticate with it,
to the KDC, then you may introduce a lot of extra overhead.
To use the private key, you will have to enter the pin. There are cards
that have multiple pins, so you may have to ask the user to enter all
of them? Don't rely on using the pin till you are sure you have the
right cert.

> Another is to use all
> the certs that can be used successfully and store all the resulting TGTs
> in the same ccache -- pick a default principal name for the ccache
> however you like :) (e.g., the first cert's). 

> There's a pam_pkcs11 module that does just that sort of thing.  It looks
> at each cert it can find in the token until it finds one that a) maps to
> the given PAM_USER,

Where is this mapping done? We expect to use certs from the HSPD-12 PIV cards
that do not require a subject alt name for a local principal in the cart. In
fact the card should be usable at many different locations, against different

> b) corresponds to the associated private key, 

Cards can have multiple keys, one for each cert, so what does this mean?

> and c)> is neither expired, nor revoked, and valid to a given trust anchor. 

Yes, you must do this.

> If > that works for pam_pkcs11, why not for pam_krb5?

It might.

You should also look at Russ Allbery's pam_krb5 (which is in Debian)
as it has Heimdal PKINIT support and some early MIT PKINIT support.

Another issue is selecting which PKCS#11 module to use. If more then one type
of card can be used at the same workstation, and each has its own PKCS#11 module
the Kerberos code can not handle this that today.

OpenSC PKCS#11 can handle multiple cards, and can handle the two types of cards
we are interested in, so the above is not an issue for us today.

You could also look at the Heimdal version as it does some of these tests you suggest
to locate a sutable cert.

Windows does one thing better, it recognizes card insertion, reads the ATR first,
and then uses a different CSP (provided by the card vendor) based on the ATR.
OpenSC does some of this, but not all cards are supported.

As I said I have no good solutions.

> Nico


  Douglas E. Engert  <DEEngert at>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the krbdev mailing list