[30798] in Kerberos
Re: Using Smartcard with PK-INIT does not respond
daemon@ATHENA.MIT.EDU (Loren M. Lang)
Wed Mar 4 09:33:54 2009
From: "Loren M. Lang" <lorenl@north-winds.org>
To: Kevin Coffman <kwcoffman@gmail.com>
In-Reply-To: <4d569c330903040546q7e3a1765nd7e697b5a6bd4a5a@mail.gmail.com>
Date: Wed, 04 Mar 2009 06:33:17 -0800
Message-Id: <1236177197.13692.2141.camel@ruth.aloha.tallye.com>
Mime-Version: 1.0
Cc: kerberos@mit.edu
Content-Type: multipart/mixed; boundary="===============1254972460=="
Errors-To: kerberos-bounces@mit.edu
--===============1254972460==
Content-Type: multipart/signed; micalg="pgp-sha1";
protocol="application/pgp-signature";
boundary="=-/16a3z2TZ2C6/AwCsjek"
--=-/16a3z2TZ2C6/AwCsjek
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
On Wed, 2009-03-04 at 08:46 -0500, Kevin Coffman wrote:
> On Wed, Mar 4, 2009 at 1:49 AM, Loren M. Lang <lorenl@north-winds.org> wr=
ote:
> > I am trying to enable smartcard logins to a MIT Kerberos domain using
> > the recent PK-INIT preauth plugin. I am using Ubuntu 8.10 with it's
> > stock Kerberos 1.6.4 packages except for pkinit.so recompiled with
> > -DDEBUG. I have a server certificate installed on the KDC with the
> > extended key usage id_pkinit_KPKdc and an appropriate subjectAltName.
> > There is one intermediate certificate between it and the root CA.
> > Client certificates were generated similarly only with the
> > id_pkinit_KPClientAuth key usage and have two intermediates between it
> > and the same root CA. The client certificates are installed on a smart
> > card using opensc and are also enabled for the clientAuth key usage for
> > SSL client authentication. I also have intermediate CAs and the root C=
A
> > installed on the smart card as well. Firefox is able to see the smart
> > card including all intermediates and root CAs and is able to use it to
> > authenticate against a SSL website. Running kinit with debugging outpu=
t
> > I was able see that is was complaining that the smart card had four
> > matching certs. It did not filter out certificates missing the
> > appropriable key usages or missing subjectAltName, maybe that's typical=
.
> > I setup a pkinit_cert_match to filter out the other certificates and no=
w
> > kinit reports finding exactly one match, but bails out later due to
> > missing intermediate certificates so I setup pkinit_pool to point
> > to /etc/ssl/certs with appropriate certificates. It did not seem to us=
e
> > the intermediates already on the smart card, is this normal?
>=20
> Normal is subjective ;-) There is no code to deal with intermediates
> or root CAs that might be found on the smartcard.
Bad choice of words, I meant, how MIT's PK-INIT code is supposed to
behave. I was assuming that this functionality was supported by
OpenSSL/OpenSC and not MIT specifically.
>=20
> > Now kinit
> > was complaining about some broken symlinks that exist
> > under /etc/ssl/certs and it bails out. Shouldn't these just be ignored=
?
>=20
> I thought anything that wasn't a cert was ignored w/o bailing, but
> this might have been missed.
>=20
> > This symlinks point to missing certificates that have nothing to do wit=
h
> > the pki infrastructure I am using, but once I moved the symlinks out of
> > the way, kinit continued and finally sent out an AS-REQ with the PK-INI=
T
> > preauth data, but received no response. According to Wireshark,
> > following the initial AS-REQ with no preauth, the server responds with =
a
> > NEEDED_PREAUTH error listing six preauth types including PA-PK-AS-REQ
> > and PA-PK-AS-REP. The client then sends a single IP fragment response.
> > The fragment has a payload of 1480 bytes with flag more fragments, but
> > no further fragments are sent. I have no firewall rules installed and
> > am at a loss as to why there are no more fragments.
>=20
> I'm not sure what might be happening here. This would just be a
> work-around, but is it possible for you to try using TCP rather than
> UDP?
I enabled TCP support on my KDCs and netstat confirms they are listening
on them. I tried setting udp_preference_limit to 1480, 1000, and 50,
but kinit never uses TCP. I put udp_preference_limit both at the very
beginning and very end of my libdefaults section in krb5.conf and even
tried using copy/paste to double check that I typed it correctly.
Also, kdc_tcp_ports is not documented in my kdc.conf man page. I had to
look in the info pages for it.
>=20
> K.C.
>=20
--=20
Loren M. Lang
lorenl@north-winds.org
http://www.north-winds.org/
Public Key: ftp://ftp.north-winds.org/pub/lorenl_pubkey.asc
Fingerprint: 10A0 7AE2 DAF5 4780 888A 3FA4 DCEE BB39 7654 DE5B
--=-/16a3z2TZ2C6/AwCsjek
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEABECAAYFAkmukS0ACgkQ3O67OXZU3luiDACgyJFVzV38WNnBPfRML7fDctg5
btEAoIsLwYD61oU7T7TXDhnPkwhsS5kp
=vIXM
-----END PGP SIGNATURE-----
--=-/16a3z2TZ2C6/AwCsjek--
--===============1254972460==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
--===============1254972460==--
