>k5start itself does not run kinit. It uses the Kerberos library calls >directly. I am dubious that it would work with PKINIT from a file without >some code changes. (Although also I'm not sure I understand the security >model of using a PKINIT cert on disk and not a keytab.)
While you can specify some PKINIT options to the MIT kinit with the -X switch, at least in my experience PKINIT authentication is normally configured in your krb5.conf and anything that calls the "normal" krb5_get_init_creds_with_password() function does the right thing. So I think k5start should work out of the box assuming all of the other PKINIT stuff was configured properly. I can think of situations where you might be issued X.509 certificates that you would want to use for authentication, rather than a keytab. That might solve some compliance issues depending on site policy. E.g., here in the DoD there is a lot of policy pushback about using "fixed" passwords (even with password expiration) and while almost nobody knows about Kerberos, if they ever did figure out what a keytab was then there would be a lot of resistance to using that for client authentication. But if you use DoD-issued client certificates for authentication you are exempt from all that (most of the time they want you to use hardware token-based certificates, but software certificates are allowed for "non-person entities" and a few other cases). --Ken ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
