[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

pkinit and krb5.conf [appdefaults] section


While setting up krb5.conf for pkinit I was reminded of a recent 
discussion in the thread titled "Re: Turning off hostname 
canonicalisation" about what sort of things should end up in the 
[appdefaults] section. I noticed the "pkinit-anchors = 
OPENSSL-ANCHOR-DIR:/dir-to-client-trusted-ca-hashes" in the 
[appdefaults] section. Is this used directly by kinit, or is it parsed 
by the libs? If this is entirely parsed by kinit, does that mean that 
any app designed to acquire credentials via the pkinit mechanism would 
have to parse this(or a similar directive) manually? I'm thinking about 
a pam module here(something that I may be looking into working on in the 
near future.)

also if this is parsed by the client libs shouldn't it go into 

should this be coordinated with mit krbdev so that if/when they 
implement some form of pkinit we don't wind up with 2 ways of doing 
things? If this has all been discussed before I joined the list then I 
appologize for not checking for archives.