Colors of Noise

krb5-auth-dialog pkinit support
19th September 2008

I finally got around to hack pkinit support into krb5-auth-dialog. It's available on the pkinit branch in git:

git clone
git-checkout --track  -b  pkinit origin/pkinit mkdir build && cd build
../ --enable-pkinit && make && make install

In order to build it, you need Heimdal 1.1 or newer. The freshly built krb5-auth-dialog will work as before until you set:

gconftool-2 --type=string --set /apps/krb5-auth-dialog/pk_userid "PKCS11:/usr/lib/opensc/"

This tells krb5-auth-dialog to look for the principal's public/private/certificate identifier on a smartcard that is handled via opensc (like kinit's "-C" option). From now on krb5-auth-dialog will ask for the smart cards' PIN instead of the principals password:

pin entry

Note: when using pkcs11 there's currently a bug in Heimdal that causes all applications to crash when you enter an incorrect PIN. The bugreport has a patch for Heimdal 1.2 to fix this attached.

Tags: single-sign-on.

RSS feed