On 11/19/23 18:33, Ken Hornstein wrote:
However, I believe Yubico provides a PKCS#11 module for Yubikeys; have
you tried that? The OpenSC people usually do a good job in terms of
supporting a wide variety of cards but depending on how old the particular
version of OpenSC you are using is you may be running into a compatibility
issue.
--Ken
Indeed the module provided by Yubico solved the issue. It is called
ykcs11 and is readily available in the linux package managers.
E.g. using
kinit -X X509_user_identity='PKCS11:libykcs11.so'
instead of
kinit -X X509_user_identity='PKCS11:opensc-pkcs11.so'
BUT with ykcs11 I got the following message in the trace
[14174] 1700562344.750583: PKINIT error: There are 3 certs, but there
must be exactly one.
[14174] 1700562344.750584: PKINIT client has no configured identity;
giving up
[14174] 1700562344.750585: Preauth module pkinit (16) (real) returned:
22/Invalid argument
This is hard to understand because there is only one certificate on the
Yubikey.
I solved this with the following line in /etc/krb5.conf
pkinit_cert_match = &&<SUBJECT>UID=.*CN=.*$<ISSUER>CN=YUBIKEY-CA${code}
The line matches our certificate, so there is only one left and kinit is
working now with ECC certificates.
But I am wondering if using pkinit_cert_match without really
understanding why I need it and what the other two certificates are is
such a good idea ?
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos