Support for multiple pkinit identities

Greg Hudson ghudson at
Tue Jan 12 13:57:25 EST 2021

On 1/7/21 9:55 PM, Ken Hornstein wrote:
> One of our developers noticed that the MIT pkinit plugin does not
> support multiple pkinit_identities lines, at least not in the way our
> plugin does.

I ran into this a couple of years ago:

At that time I did the easy thing, which was to change the documentation
to promise less.  Instead of "Each value is attempted in order until
identity information is found and authentication is attempted", it now
says "the first valid value is used", with a suggested use case
involving ENV.

I think the best behavior would be to treat multiple pkinit_identities
values like we'd treat a single DIR: value (or PKCS11 token) containing
all of the certs, so that identity selection works on them.  That might
be difficult to implement, though.

More information about the krbdev mailing list