Our software consists of a preauth plugin for Kerberos, with the source located in src/plugins/preauth/pkinit. It will normally be installed as /usr/local/lib/krb5/plugins/preauth/pkinit.so. To build it you will need openssl and opensc installed. To run it you will need a pkcs11 module. We use the one supplied by opensc, but have tested with others as well. Opensc requires a "card middleware" layer, which can be supplied by either OpenCT or MUSCLE pcsc, depending on the card reader and card you intend to use.
On Debian or Ubuntu the required packages can be installed with "apt-get install" and include:
On Redhat (RHEL4 or fc5) the rpms needed include
You can also install opensc and openct from source, and there are some instructions in the wiki.
Card and Card Reader
These instructions assume you are using openct, not pcsc. Most card readers will use usb. Verify that your reader is available with "lsusb":
# lsusb Bus 001 Device 020: ID 0973:0001 Schlumberger
Verify that openct can find your reader:
# openct-tool list 0 Towitoko Chipdrive Micro 2 Schlumberger E-Gate
If your reader is not listed, check /etc/openct.conf.
Get a list of available slot ids:
% pkcs11-tool -L Available slots: Slot 0 Schlumberger E-Gate token label: OpenSC Card (reestest) token manuf: OpenSC Project token model: PKCS #15 SCard token flags: rng, login required, PIN initialized, token initialized serial num : 000298B9FFFF0200 Slot 1 (empty)
The default pkcs11 module is opensc-pkcs11.so. You can specify any of module name, slot ID, token label, cert ID, and cert label on the command line, for example:
kinit -X X509_user_identity=PKCS11:/usr/local/Brand-X-crypto/lib/libpkcs11.so:slotid=4:certid=45:certlabel=Certificate
These all have reasonable defaults.
Unless your card was supplied with a key and certificate, you will have to initialize it. These instructions assume you are using opensc. You should read the instructions for pkcs15-init. It's possible to destroy your card, and most manufacturers won't give you a refund. The procedure is roughly:
pkcs15-init -ECT pkcs15-init -PT -a 1 -l test -v pkcs15-init -S test.key -a 1 -u sign,decrypt pkcs15-init -X test.crt -a 1 -u sign,decrypt
Now verify this worked:
pkcs11-tool -O Certificate Object, type = X.509 cert label: Certificate ID: 45 Public Key Object; RSA 1024 bits label: Certificate ID: 45 Usage: encrypt, verify Public Key Object; RSA 1024 bits label: Public Key ID: 45 Usage: none