[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: pkinit/opensc/soft-pkcs11

Since you are trying to use a Globus proxy file, all the code you
need may already be present and you don't need the engine at all.

Can you try:

kinit -C FILE:tmp/x509up_u31765,tmp/x509up_u31765 ma3d

This will use the load_openssl_file,(rather then the load_openssl_engine)
and use the proxy file for the cert and key.


Matthew N. Andrews wrote:
> Hmmm...
> 
> upon further consideration I think you're right(sorta). pkcs11 is not 
> really what I want here. it's more likely that what I want is actually 
> simply a engine_myproxy.sa that provides ENGINE_load_private_key, and 
> ENGINE_load_public_key, and ENGINE_ctrl_cmd(e, "LOAD_CERT_CTRL" ...
> 
> whee!!!!
> 
> 
> Matthew N. Andrews wrote:
> 
>> Douglas E. Engert wrote:
>> ...
>>
>>>>
>>>> Just in case anyone cares, my goal here is to have a pkcs11 software 
>>>> token that requires login to retrieve a user key/cert pair, and to 
>>>> upon "login" to actually acquire the key/cert from a globus myproxy 
>>>> server.
>>>
>>>
>>>
>>>
>>> So how are you authenticating to the myproxy?
>>> It is not clear why you are trying to do all of this from the the 
>>> pkcs11.
>>> It sounds like it should be multiple operations. Maybe via PAM.
>>> Are going to use the "pin" to authenticate to the myproxy?
>>>
>>
>> Yes I plan on using the pin. my rational for going the pkcs11 route is 
>> that it means that users will be able to acquire new credentials post 
>> login simply by running kinit. The password to the myproxy server is 
>> validated against an OTP server. If/when sometime down the road we 
>> shift to using smart cards for authentication rather than OTP fobs, it 
>> simply means that we swap out the myproxy/soft-pkcs11 library for one 
>> that actually interfaces with whatever smartcard we end up 
>> standardizing on.
>>
>> multi module pam stacks work fine for initial login, but I don't know 
>> of a generic pam aware "acquire new credentials" application.
>>
>> I'm open to alternate suggestions, but I think that the user 
>> experience of having kinit do the right thing without needing the user 
>> to explicitly take the myproxy step will be a win. I could just 
>> replace kinit with a script that does both kinit and myproxy, however 
>> if I can come up with a solution that just requires configuration 
>> changes to what will ultimately be the standard heimdal code/apps 
>> rather than replacing them with wrappers I'll be happier.
>>
>>
>> -Matt
>>
>>
> 
> 

-- 

  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444