[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

pkinit and krb5.conf [appdefaults] section

To: "heimdal-discuss@sics.se" <heimdal-discuss@sics.se>
Subject: pkinit and krb5.conf [appdefaults] section
From: Matthew Andrews <matt@slackers.net>
Date: Thu, 15 Sep 2005 22:53:42 -0700
Organization: The Slackers' Network
Sender: owner-heimdal-discuss@sics.se
User-Agent: Mozilla Thunderbird 1.0 (X11/20041206)

Hi,

While setting up krb5.conf for pkinit I was reminded of a recent 
discussion in the thread titled "Re: Turning off hostname 
canonicalisation" about what sort of things should end up in the 
[appdefaults] section. I noticed the "pkinit-anchors = 
OPENSSL-ANCHOR-DIR:/dir-to-client-trusted-ca-hashes" in the 
[appdefaults] section. Is this used directly by kinit, or is it parsed 
by the libs? If this is entirely parsed by kinit, does that mean that 
any app designed to acquire credentials via the pkinit mechanism would 
have to parse this(or a similar directive) manually? I'm thinking about 
a pam module here(something that I may be looking into working on in the 
near future.)

also if this is parsed by the client libs shouldn't it go into 
[libdefaults]?

should this be coordinated with mit krbdev so that if/when they 
implement some form of pkinit we don't wind up with 2 ways of doing 
things? If this has all been discussed before I joined the list then I 
appologize for not checking for archives.

-Matt

Follow-Ups:
- Re: pkinit and krb5.conf [appdefaults] section
  - From: "Douglas E. Engert" <deengert@anl.gov>
- Re: pkinit and krb5.conf [appdefaults] section
  - From: Love Hörnquist Åstrand <lha@kth.se>

Prev by Date: Re: krb5_verify_user_opt failed
Next by Date: pki-mapping
Prev by thread: Re: /var/heimdal/log
Next by thread: Re: pkinit and krb5.conf [appdefaults] section
Index(es):
- Date
- Thread