[37829] in Kerberos
Re: Add preauth questions to kerberos responder context
daemon@ATHENA.MIT.EDU (Dorian Duc)
Mon Jan 16 05:10:54 2017
Date: Mon, 16 Jan 2017 03:10:36 -0700 (MST)
From: Dorian Duc <dodo040@hotmail.fr>
To: kerberos@mit.edu
Message-ID: <1484561436795-46574.post@n3.nabble.com>
In-Reply-To: <AM5PR0802MB261289E59F5343217B9F59348E930@AM5PR0802MB2612.eurprd08.prod.outlook.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
I succeeded at the end. The problem was that a previous PKCS11 session was
not closed before the PKINIT process tried to open a new one.
103: C_Initialize
2017-01-12 17:46:43.597
[in] pInitArgs = (nil)
Returned: 401 CKR_CRYPTOKI_ALREADY_INITIALIZED
C_Initialize: cryptoki already initialized
can't open pkcs11 session
104: C_Finalize
2017-01-12 17:46:43.598
Returned: 0 CKR_OK
pkinit_client_prep_questions: no questions to ask
pkinit_client_prep_questions returning 0
pkinit_client_prep_questions: no questions to ask
pkinit_client_prep_questions returning 0
questions_to_answer=password
pkinit_client_process 0x7fffe409f1f0 0x7fffe409f7b0 0x7fffe40a1e70
0x7fffe40a1c20
processing KRB5_PADATA_PK_AS_REQ
pkinit_client_profile 0x7fffe409f1f0 0x7fffe409f7b0 0x7fffe40a1e70
0x7fffe40a2538
pkinit_identity_prompt: 0x7fffe409f1f0 0x7fffe40a23f0 0x7fffe40a2290
If all the previous opened sessions are well closed and the KDC is
configured to ask the client for a PKINIT preauthentication, we should get
the following result :
111: C_CloseSession
2017-01-12 18:05:04.655
[in] hSession = 0xbabfcb7f
Returned: 0 CKR_OK
112: C_Finalize
2017-01-12 18:05:04.655
Returned: 0 CKR_OK
pkinit_client_prep_questions: asking question
'{"PKCS11:module_name=/usr/local/lib/pkcs11-spy.so:slotid=1:token=CCC":0}'
pkinit_client_prep_questions returning 0
pkinit_client_prep_questions: asking question
'{"PKCS11:module_name=/usr/local/lib/pkcs11-spy.so:slotid=1:token=CCC":0}'
pkinit_client_prep_questions returning 0
questions_to_answer=pkinit
pkinit_client_process 0x7fffe4096090 0x7fffe4066cc0 0x7fffe4089760
0x7fffe40897f0
processing KRB5_PADATA_PK_AS_REQ
pkinit_client_profile 0x7fffe4096090 0x7fffe4066cc0 0x7fffe4089760
0x7fffe4089f38
pkinit_identity_prompt: 0x7fffe4096090 0x7fffe4089df0 0x7fffe4089c70
Dorian Duc wrote
> Hello,
>
>
> I want to use "pkinit" preauth question to authenticate with kerberos.
>
>
> But I'm unable to answer "pkinit" question because it's not available in
> the list of questions returned by krb5_responder_list_questions(). Only
> "password" is proposed.
>
>
> How can I add "pkinit" or even "otp" in the list of preauth questions ?
>
>
> Thank you
> ________________________________________________
> Kerberos mailing list
> Kerberos@
> https://mailman.mit.edu/mailman/listinfo/kerberos
--
View this message in context: http://kerberos.996246.n3.nabble.com/Add-preauth-questions-to-kerberos-responder-context-tp46464p46574.html
Sent from the Kerberos - General mailing list archive at Nabble.com.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
