[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [opensc-devel] Change to engine_pkcs11 to allow private certificatesto be read from card
Andreas Jellinghaus wrote:
> Am Freitag 21 Oktober 2005 22:55 schrieb Douglas E. Engert:
>
>>Please consider this patch to facilitate the reading of private
>>certificates from a smart card.
>
>
> thanks, commited.
>
> Regards, Andreas
> p.s. maybe you have some code using the engine that could
> be added as example code to the engine_pkcs11 project? :)
What I have is the Heimdal PKINIT kerberos code. PKINIT is the
Kerberos pre-auth method to use PKI to get a Kerberos ticket, and
it is what is used by Windows AD with smartcards. The Heimdal
Kerberos supports the latest PKINIT drafs as well as the Windows
implementation based on an older draft. So If you have a smartcard
issued by AD for login, it can be used on linux to login. It requires
Kerberos to be setup before hand, and the linux host willing to
accept Kerberos users from AD.
In the krb5.conf add all on one line:
pkinit-openssl-engine = ENGINE=dynamic,PRE=SO_PATH:/opt/smartcard/lib/openssl/engine_pkcs11.so,
PRE=ID:pkcs11,PRE=LIST_ADD:1,PRE=LOAD,PRE=MODULE_PATH:/opt/smartcard/lib/opensc-pkcs11.so,PRE=VERBOSE
The with the kinit program:
kinit -C ENGINE:CERT=slot_0,KEY=slot_0 user@realm
and there are PAM mods too.
>
>
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444