Dear Community, I assume, i have mailed to the right community list for these kind of questions. If i have mailed to the wrong location - may i please ask for the respective mailing address.
I am a system administrator for a high performance cluster, and I am thinking of setting up a smartcard authentication with kerberos. I have already completed kerberos authentication implementation for users of the cluster,through kinit and gssapi. These are the steps that i have followed to setup pkinit with smartcard. 1. I have created a CA to issue the CA certificates, CAkey and use those to create the KDC certificates and Client certificaties as mentioned in the below link . http://web.mit.edu/kerberos/krb5-current/doc/admin/pkinit.html 2. However, in order to use smartcard along with PAM and kerberos authentication - i need to use the CAs given by our organization for the smart card, for which we do not have the CA key. My question is : If we have to use the same CA for KDC, Client and Smartcard certificates? or if we could mention 2 different CA's to KDC for KDC,Client certificates and Smartcard certicate? In that way, It would be helpful - If KDC could use a self-generated CA certificate for the KDC and Client certificate, while it will use the Smartcard CA certificate for user login authentication with smart card. Also, may i know how we kinit using smartcard - in order to debug if the issue is with PAM login attempt or kerberos authentication. I would be happy to hear from you. Thank you Lohit ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
