krb5-auth-dialog pkinit support
19th September 2008
I finally got around to hack pkinit support into krb5-auth-dialog. It's available on the pkinit branch in git:
git clone http://honk.sigxcpu.org/git/krb5-auth-dialog.git
git-checkout --track -b pkinit origin/pkinit mkdir build && cd build
../autogen.sh --enable-pkinit && make && make install
In order to build it, you need Heimdal 1.1 or newer. The freshly built krb5-auth-dialog will work as before until you set:
gconftool-2 --type=string --set /apps/krb5-auth-dialog/pk_userid "PKCS11:/usr/lib/opensc/opensc-pkcs11.so"
This tells krb5-auth-dialog to look for the principal's public/private/certificate identifier on a smartcard that is handled via opensc (like kinit's "-C" option). From now on krb5-auth-dialog will ask for the smart cards' PIN instead of the principals password:
Note: when using pkcs11 there's currently a bug in Heimdal that causes all applications to crash when you enter an incorrect PIN. The bugreport has a patch for Heimdal 1.2 to fix this attached.