[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kerberos
Subject:    Re: pkinit-nss.
From:       Nalin Dahyabhai <nalin () redhat ! com>
Date:       2010-05-10 20:59:04
Message-ID: 20100510205904.GG11497 () redhat ! com
[Download RAW message or body]

On Fri, May 07, 2010 at 11:36:10AM +0200, Patrik Martinsson wrote:
> I'm curios about the pkinit-nss native support in kerberos > 1.6.3.
> Maybe I'm wrong here, but as I understand it I should not need the 
> pkinit-nss
> plugin (http://git.fedorahosted.org/git/?p=pkinit-nss.git), as this is 
> supposed to
> be inbuilt in kerberos. However I can't get the "inbuilt" pkinit-nss to 
> work, and when im looking
> quickly thgough the source, i cant really see anything about nss (im not an
> experienced programmer, so i could definitly miss something).

They're two different code bases -- pkinit-nss was mainly useful before
1.6.3 was released, and if you're using 1.6.3 or anything later, I'd
recommend just using the version that's incorporated into the Kerberos
distribution.

> Today ive tried with the line, (as a start, to see if smartcardlib even 
> gets called)
> pkinit_identities = PKCS11:/path_to_my_smartcardlib

This goes in the [libdefaults] section of krb5.conf.  If I'm remembering
it right, you also have to specify a "pkinit_anchors" value at minimum.

> Just of curiousity ive runned kinit with strace and tried to look for 
> calls to that lib,
> but i cant see anything at all relating to that smartcardlib.

On Fedora, at least, the plugin's in a separate subpackage, so if you're
using a binary package, you might want to double-check that you have the
plugin on your system (/usr/lib*/krb5/plugins/preauth/pkinit.so).

HTH,

Nalin
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
[prev in list] [next in list] [prev in thread] [next in thread]