libpam-krb5 on Ubuntu 8.04 with MIT Kerberos and PKINIT

Douglas E. Engert deengert at
Thu May 15 14:13:57 EDT 2008

I was trying to get the PKINIT working on Ubuntu 8.04
which comes with:
    libpam-krb5 3.10-1
    krb5-pkinit 1.6.dfsg.3~beta1-2ubuntu1

I had to make a change to the libpam-krb5 auth.c to remove a test for
a bug that appears to be fixed in krb5-1.6.3 I just changed the #ifdef
to not include the call to clear out the opts structure.

--- ,auth.c     2007-12-28 23:42:52.000000000 -0600
+++ auth.c      2008-05-15 10:55:26.000000000 -0500
@@ -139,7 +139,7 @@
  set_credential_options(struct pam_args *args, krb5_get_init_creds_opt *opts,
                         int service)
-#ifdef HAVE_KRB5_MIT
+#ifdef HAVE_KRB5_MIT_OLDER_THEN_1_6_3
      /* Work around a bug in MIT Kerberos where allocating the credential
         structure with opt_alloc doesn't initialize it.  This workaround
         will probably be removed eventually when the broken versions of 1.6
         are obsolete.

         We can't do this for Heimdal because it will destroy the private
         structure in the allocated opt struct. */

Can you verify that the above code is not needed?

With the above change and change to /etc/pam.d/* and /etc/krb5.conf
I can get gdm and gnome-screensaver to use either a smart card or a password.


  Douglas E. Engert  <DEEngert at>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the krbdev mailing list