[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: pkinit and krb5.conf [appdefaults] section
Matthew Andrews wrote:
> Hi,
>
> While setting up krb5.conf for pkinit I was reminded of a recent
> discussion in the thread titled "Re: Turning off hostname
> canonicalisation" about what sort of things should end up in the
> [appdefaults] section. I noticed the "pkinit-anchors =
> OPENSSL-ANCHOR-DIR:/dir-to-client-trusted-ca-hashes" in the
> [appdefaults] section. Is this used directly by kinit, or is it parsed
> by the libs? If this is entirely parsed by kinit, does that mean that
> any app designed to acquire credentials via the pkinit mechanism would
> have to parse this(or a similar directive) manually? I'm thinking about
> a pam module here(something that I may be looking into working on in the
> near future.)
For PAM PKINIT mods see:
http://www.stacken.kth.se/lists/heimdal-discuss/2005-05/msg00009.html
That has mods to the RedHat pam_krb5-1.3-rc7 to work with PKINIT.
and have a pam.conf for GDM. These where designed to work with a smartcard.
>
> also if this is parsed by the client libs shouldn't it go into
> [libdefaults]?
>
> should this be coordinated with mit krbdev so that if/when they
> implement some form of pkinit we don't wind up with 2 ways of doing
> things? If this has all been discussed before I joined the list then I
> appologize for not checking for archives.
Yes.
>
> -Matt
>
>
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444