[32068] in Kerberos
Preauthentication Error
daemon@ATHENA.MIT.EDU (vinay kumar)
Mon Feb 22 10:36:50 2010
MIME-Version: 1.0
Date: Fri, 19 Feb 2010 16:27:32 +0530
Message-ID: <dca721831002190257p2bbf13efl88518c9d9f6da4a9@mail.gmail.com>
From: vinay kumar <winay.l@gmail.com>
To: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Hi all,
I am implementing PKINIT. I have generated certificates using
openssl tool, but i am not getting PA-DASS, PA-PK-AS-REQ,
PA-PK-AS-REP fields in the reply (
KRB5KDC_ERR_PREAUTH_REQUIRED) from KDC. Its asking password to
authenticate and sending encrypted time-stamp in the second AS_REQ to
KDC, but i want to use certificate based authentication. So the fields
PA-DASS, PA-PK-AS-REQ, PA-PK-AS-REP are needed in the
reply(KRB5KDC_ERR_PREAUTH_REQUIRED) from KDC.
I have compiled preauth pkinit plugin with '-DDEBUG' option,
following data displayed when i run kdc foreground:
***********************************************************************************************************
bash-3.1# /usr/local/sbin/krb5kdc -n
pkinit_server_plugin_init: processing realm 'GLOBALEDGESOFT.COM'
pkinit_server_plugin_init_realm: initializing context at 0x8065e98 for
realm 'GLOBALEDGESOFT.COM'
pkinit_init_plg_crypto: initializing openssl crypto context at 0x806ff28
pkinit_init_identity_crypto: returning ctx at 0x8070fa8
pkinit_init_kdc_profile: entered for realm GLOBALEDGESOFT.COM
pkinit_fini_identity_crypto: freeing ctx at 0x8070fa8
pkinit_fini_plg_crypto: freeing context at 0x806ff28
pkinit_server_plugin_fini: freeing context at 0x8064a58
**********************************************************************************************************
Nothing extra data displayed when i do kinit for a principal from the
client system.
The reply((KRB5KDC_ERR_PREAUTH_REQUIRED) from KDC captured on
wireshark contains following fields:
*********************************************************************************************************
e-text: NEEDED-PREAUTH
e-data
padata: PA-ENC-TIMESTAMP Unknown:B6 PA-ENCTYPE-INFO2
PA-SAM-RESPONSE Unknown:133
Type: PA-ENC-TIMESTAMP(2)
Type: Unknown(136)
Type:PA-ENCTYPE-INFO2(19)
Type:PA-SAM-RESPONSE(13)
Type:Unknown(133)
*********************************************************************************************************
Plz guide me what are modifications needed so as to get PA-DASS,
PA-PK-AS-REQ, PA-PK-AS-REP fields in the reply(
KRB5KDC_ERR_PREAUTH_REQUIRED ) from KDC.
Regards,
Vinay
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
