git clone http://honk.sigxcpu.org/git/krb5-auth-dialog.git git-checkout --track -b pkinit origin/pkinit mkdir build && cd build ../autogen.sh --enable-pkinit && make && make install
In order to build it, you need Heimdal 1.1 or newer. The freshly built krb5-auth-dialog will work as before until you set:
gconftool-2 --type=string --set /apps/krb5-auth-dialog/pk_userid "PKCS11:/usr/lib/opensc/opensc-pkcs11.so"
This tells krb5-auth-dialog to look for the principal's public/private/certificate identifier on a smartcard that is handled via opensc (like kinit's "-C" option). From now on krb5-auth-dialog will ask for the smart cards' PIN instead of the principals password: