gotcha, thank you very much for all the help. I guess just out of curiosity: - for windows: there are other tools such as heimdall and microsoft kerberos. with those I don't know if you ever played around with them or know if they support smartcard and pin authentication to get a ticket manually. manually meaning, get a ticket for a specified account with the use of kinit or similar tools..
Prabin On Wed, May 4, 2022 at 10:00 PM Ken Hornstein <k...@cmf.nrl.navy.mil> wrote: > >for more information on this" > >- People I work with have adapted the stock MIT Kerberos PKINIT plugin > > to work on Windows. > > > >Do you have any sort of documentation that you can point me to on how to > >make this work with windows. And also Mac as, we also have Mac users. > > Unfortunately, no (at least, not on Windows). > > We compile our own Kerberos kit for Windows, which have the changes in > it to build the PKINIT plugin. Actually, I believe it's worse than > that; from memory I believe we have a separate PKINIT plugin directory. > And ... the build environment is a huge mess there. I don't recall that > the code changes are large (I didn't do them), but you do need to source > a windows-compatible regular expression library. One of my long term > goals is to get us using as much stock MIT code as possible, but I never > did work out getting our changes to PKINIT to make it functional on Windows > into stock MIT Kerberos. So, I can't really help you there. > > >Currently, my main focus is on windows machines, so, the steps I have done > >to try to authenticate with a smartcard: > >1. install MIT kerberos > >2. Install opensc-pkcs11 > >3. use the following commands in the hope that it will use smartcard: > >kinit -X x509_user_identity=PKCS11:path_to_PKCS11.dill > > Right, I think you'll have more success with this on MacOS X. The code > for Windows simply doesn't exist, at least in vanilla MIT Kerberos. There > are a lot of pieces you need to make PKINIT work, so I'd start with a > platform where it at least is known to work. > > --Ken > -- Thank you, Prabin Tamang ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
