[39321] in Kerberos
Re: Using PKINIT with ECC
daemon@ATHENA.MIT.EDU (Goetz Golla)
Fri Nov 24 03:43:10 2023
Message-ID: <414fe2a9-56ad-4401-b72a-4c002405e56c@sec4mail.de>
Date: Fri, 24 Nov 2023 09:41:09 +0100
MIME-Version: 1.0
To: Ken Hornstein <kenh@cmf.nrl.navy.mil>
Cc: kerberos@mit.edu
Content-Language: en-US
From: Goetz Golla <mit@sec4mail.de>
In-Reply-To: <202311191733.3AJHXASl018607@hedwig.cmf.nrl.navy.mil>
Content-Type: text/plain; charset="utf-8"; Format="flowed"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
On 11/19/23 18:33, Ken Hornstein wrote:
> However, I believe Yubico provides a PKCS#11 module for Yubikeys; have
> you tried that? The OpenSC people usually do a good job in terms of
> supporting a wide variety of cards but depending on how old the particular
> version of OpenSC you are using is you may be running into a compatibility
> issue.
>
> --Ken
Indeed the module provided by Yubico solved the issue. It is called
ykcs11 and is readily available in the linux package managers.
E.g. using
kinit -X X509_user_identity='PKCS11:libykcs11.so'
instead of
kinit -X X509_user_identity='PKCS11:opensc-pkcs11.so'
BUT with ykcs11 I got the following message in the trace
[14174] 1700562344.750583: PKINIT error: There are 3 certs, but there
must be exactly one.
[14174] 1700562344.750584: PKINIT client has no configured identity;
giving up
[14174] 1700562344.750585: Preauth module pkinit (16) (real) returned:
22/Invalid argument
This is hard to understand because there is only one certificate on the
Yubikey.
I solved this with the following line in /etc/krb5.conf
pkinit_cert_match = &&<SUBJECT>UID=.*CN=.*$<ISSUER>CN=YUBIKEY-CA${code}
The line matches our certificate, so there is only one left and kinit is
working now with ECC certificates.
But I am wondering if using pkinit_cert_match without really
understanding why I need it and what the other two certificates are is
such a good idea ?
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
