On 28/3/23 09:24, Ken Hornstein wrote:
You can specify the certificate exactly on the 'kinit' command line
with the "-X X509_user_identity" option (this has the same format
as the pkinit_identities option in krb5.conf). Now this option isn't
supported for kadmin, but you can do:
% kinit -X X509_user_identity=FILE:/tmp/foo.pem -S kadmin/admin jason/admin
or
% kinit -X X509_user_identity=FILE:/tmp/foo.pem -S kadmin/admin.host jason/admin
Depending on the principal you are using for kadmind, and then you can use
the "-c credential_cache" option to kadmin to use an existing credential
cache.
Thank you - that worked as described, once I gave kadmin the correct
credentials cache.
I have had success using a YubiKey 5 in PIV mode which also supports
a bunch of other things like FIDO 2; I have no connection with Yubico
other than as a user. Yubico provides a PKCS#11 module but in PIV mode
you should be able to use any PKCS#11 module that supports PIV (this is
very common). One advantage to a YubiKey is it is just USB and does not
require a dedicated smartcard reader. Note that this is a lot of moving
parts and probably will require a fair amount of fiddling.
Yes, exactly. I'm contemplating Yubikeys, however, for this and other
reasons.
________________________________________________
Kerberos mailing list [email protected]
https://mailman.mit.edu/mailman/listinfo/kerberos
