[32527] in Kerberos
kerberos, pre_auth, and smartcards
daemon@ATHENA.MIT.EDU (Bram Cymet)
Tue Jul 27 15:33:39 2010
Message-ID: <4C4F348C.9080905@cbnco.com>
Date: Tue, 27 Jul 2010 15:33:32 -0400
From: Bram Cymet <bcymet@cbnco.com>
MIME-Version: 1.0
To: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Hi,
I have been able to get kinit to (sort of) talk to my smartcard.
By specifying the X509_user_identity on the command line kinit will ask
me for the pin of the smart card and log into the smartcard (using
opensc_pkcs11) but then it will do nothing else with the smartcard. It
will then ask for my password and my kdc will happily issue me a ticket.
Even if I give the wrong PIN for the smartcard I can still get a ticket.
What really worries me is that NEEDED_PREAUTH is set for the principle
that I am using and "Additional pre-authentication required" is sent
back with the first AS_REQ but no matter what I do the kdc will issue a
ticket as long as I give it the correct password.
It is my understanding that with pre_auth required pkinit should be used
and there should be some type of certificate verification correct? This
does not seem to be going on here. I have not specified a client cert
and I know it is not getting the cert off the smartcard. Is my
interpretation of pre_auth required incorrect?
I am using MIT Kerberos compiled from the latest released source.
If more information is need let me know.
Any ideas what could be going on?
Thanks,
--
Bram Cymet
Software Developer
Canadian Bank Note Co. Ltd.
Cell: 613-608-9752
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
