[39217] in Kerberos
Re: Elementary PKINIT questions (MIT Kerberos/Linux configuration)
daemon@ATHENA.MIT.EDU (Jason White via Kerberos)
Tue Mar 28 10:14:16 2023
Message-ID: <a9fb47a6-b7bf-bf06-8b61-2ebc22ac9b1c@jasonjgw.net>
Date: Tue, 28 Mar 2023 10:08:32 -0400
MIME-Version: 1.0
Content-Language: en-US
To: kerberos@mit.edu
In-Reply-To: <202303281324.32SDOFZG013888@hedwig.cmf.nrl.navy.mil>
From: Jason White via Kerberos <kerberos@mit.edu>
Reply-To: Jason White <jason@jasonjgw.net>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Errors-To: kerberos-bounces@mit.edu
On 28/3/23 09:24, Ken Hornstein wrote:
>
> You can specify the certificate exactly on the 'kinit' command line
> with the "-X X509_user_identity" option (this has the same format
> as the pkinit_identities option in krb5.conf). Now this option isn't
> supported for kadmin, but you can do:
>
> % kinit -X X509_user_identity=FILE:/tmp/foo.pem -S kadmin/admin jason/admin
>
> or
>
> % kinit -X X509_user_identity=FILE:/tmp/foo.pem -S kadmin/admin.host jason/admin
>
> Depending on the principal you are using for kadmind, and then you can use
> the "-c credential_cache" option to kadmin to use an existing credential
> cache.
Thank you - that worked as described, once I gave kadmin the correct
credentials cache.
> I have had success using a YubiKey 5 in PIV mode which also supports
> a bunch of other things like FIDO 2; I have no connection with Yubico
> other than as a user. Yubico provides a PKCS#11 module but in PIV mode
> you should be able to use any PKCS#11 module that supports PIV (this is
> very common). One advantage to a YubiKey is it is just USB and does not
> require a dedicated smartcard reader. Note that this is a lot of moving
> parts and probably will require a fair amount of fiddling.
Yes, exactly. I'm contemplating Yubikeys, however, for this and other
reasons.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
