>P:296321; T:0x140609979246400 17:33:26.054 [opensc-pkcs11] >pkcs11-object.c:697:C_SignInit: C_SignInit() = CKR_KEY_HANDLE_INVALID > >So there is some problem with opensc-pkcs11. Interestingly I am using >the same Yubikey successfully with pam-pkcs11 to authenticate without >problems.
CKR_KEY_HANDLE_INVALID means "The handle passed is not a a valid key". Which is not exactly helpful ("handles" in PKCS#11 are nonzero integers and refer to objects on the card). You MIGHT be running into an issue where there is a bug in the PKINIT code that makes PKCS#11 calls but that code has been stable for a long time so I would be surprised if the failure was there (but, I have been surprised before!). I believe there is some environment variable or other configuration you can set to get more debugging information out of opensc but I don't recall it right now. However, I believe Yubico provides a PKCS#11 module for Yubikeys; have you tried that? The OpenSC people usually do a good job in terms of supporting a wide variety of cards but depending on how old the particular version of OpenSC you are using is you may be running into a compatibility issue. --Ken ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos