Re: [Opensc-devel] kerberos

[Douglas E E. <dee...@gm...>]

Before I retired in 2014, we used to use this:
[appdefaults]
148         pam = {
149 #               Uncomment to use with PKINIT and pam_krb5
150 #               for smart card login using AD
151 #               Change module path as needed
152 #               pkinit_prompt = true
153 #               try_pkinit = 1
154 #               pkinit_user = PKCS11:module_name=/usr/lib/opensc/opensc-pkcs11.so
155 }

Windows AD was the KDC, and the certificates have the Microsoft extensions for
Windows login.  If you are trying to use Windows AD, I can give more information.

In the simplest case, one smart card, you should not need all the extra options.
The PKINIT code will look at all the certificates and select one.

If you want to see the PKCS#11 calls and/or the card commands see
https://github.com/OpenSC/OpenSC/wiki/Using-OpenSC




On 1/25/2018 6:37 AM, J.W...@mi... wrote:
> Hi all,
> 
> Is there anyone around here who tried toget a kerberos ticket based on certs/keys on a smartcard?
> 
> According to all man-pages, I need:
> 
> PKCS11:[module_name=]modname[:slotid=slot-id][:token=token-label][:certid=cert-id][:certlabel=cert-label]
> 
> And with pkcs11-tool, I think I know the values of the fields.
> 
> But HOW / WHERE to include the “PKCS11:….” String into /etc/krb5.conf
> 
> Kind regards, Hans
> 
> 
> Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u verzocht dat aan de afzender te melden en 
> het bericht te verwijderen. De Staat aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband houdt met risico's verbonden aan het elektronisch verzenden van berichten.
> 
> This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the 
> message. The State accepts no liability for damage of any kind resulting from the risks inherent in the electronic transmission of messages.
> 
> 
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> 
> 
> 
> _______________________________________________
> Opensc-devel mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
> 

-- 

  Douglas E. Engert  <DEE...@gm...>