[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: pkinit and krb5.conf [appdefaults] section

Matthew Andrews wrote:

> Hi,
> While setting up krb5.conf for pkinit I was reminded of a recent 
> discussion in the thread titled "Re: Turning off hostname 
> canonicalisation" about what sort of things should end up in the 
> [appdefaults] section. I noticed the "pkinit-anchors = 
> OPENSSL-ANCHOR-DIR:/dir-to-client-trusted-ca-hashes" in the 
> [appdefaults] section. Is this used directly by kinit, or is it parsed 
> by the libs? If this is entirely parsed by kinit, does that mean that 
> any app designed to acquire credentials via the pkinit mechanism would 
> have to parse this(or a similar directive) manually? I'm thinking about 
> a pam module here(something that I may be looking into working on in the 
> near future.)

For PAM PKINIT mods see:

That has mods to the RedHat pam_krb5-1.3-rc7 to work with PKINIT.
and have a pam.conf for GDM. These where designed to work with a smartcard.

> also if this is parsed by the client libs shouldn't it go into 
> [libdefaults]?
> should this be coordinated with mit krbdev so that if/when they 
> implement some form of pkinit we don't wind up with 2 ways of doing 
> things? If this has all been discussed before I joined the list then I 
> appologize for not checking for archives.


> -Matt


  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444