[39082] in Kerberos
Re: windows and smartcards
daemon@ATHENA.MIT.EDU (Ken Hornstein via Kerberos)
Thu May 5 10:44:55 2022
Message-ID: <202205051441.245Effnu006676@hedwig.cmf.nrl.navy.mil>
To: Prabin Tamang <prabintamang1040@gmail.com>
cc: kerberos@mit.edu
In-Reply-To: <CALTuj67a3EZeOB6B8ydfrzyAoyaj7S7F80qzGhrBwab_7fj2cg@mail.gmail.com>
MIME-Version: 1.0
Date: Thu, 05 May 2022 10:41:41 -0400
From: Ken Hornstein via Kerberos <kerberos@mit.edu>
Reply-To: Ken Hornstein <kenh@cmf.nrl.navy.mil>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
>gotcha, thank you very much for all the help.
>I guess just out of curiosity:
>- for windows: there are other tools such as heimdall and microsoft
>kerberos. with those I don't know if you ever played around with them or
>know if they support smartcard and pin authentication to get a ticket
>manually.
>manually meaning, get a ticket for a specified account with the use of
>kinit or similar tools..
Here's my limited, imperfect understanding of the situation.
- My understanding is that the Kerberos implementation supplied by Microsoft
does implement PKINIT and works with smartcards. But I am not sure if
you can use it OUTSIDE of an Active Directory domain.
- It seems that Heimdal _does_ implement PKINIT. But it's not clear to
me that they support using PKCS#11 to sign the PKINIT request, which
is the piece you need to make it work with Smartcards. I mean, I see
there is SOME PKCS#11 support, I just didn't see any calls to something
like C_SignInit. It's very possible I missed it. You're going to have
to investigate that on your own.
--Ken
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
