krb5-1.12.1, pkinit, and openssl ca
squidmobile@fastmail.fm
squidmobile at fastmail.fm
Sun Jun 8 18:35:05 EDT 2014
07 jun 2014
greetings,
as expected, my pkinit efforts failed. however, i captured some
output for analysis. i included everything i thought relevant.
i also embedded some questions and comments in the output.
Script started on Sat 07 Jun 2014 06:12:05 PM EDT
hostname(test) 1 $ ksh -xv /tmp/gigo.sh
### this next file is an included fragment of the krb5.conf file
cat /local/package/krb5/etc/krb5.frag.realms
+ cat /local/package/krb5/etc/krb5.frag.realms
[realms]
DOMAIN.NAME = {
master_kdc = kdc.domain.name
admin_server = kdc.domain.name
kdc = kdc.domain.name
kdc = secondary-kdc.domain.name
pkinit_anchors = DIR:/local/package/krb5/ssl/certs.root
pkinit_pool = DIR:/local/package/krb5/ssl/certs.pool
pkinit_identity = DIR:/home/%{username}/.krb5.id
}
###
i would really like to use some variant of DIR:${HOME}/.krb5 or
maybe DIR:${HOME}/.certs instead of DIR:/home/%{username}/...
since you have all of these %{expansion} options, would it be
possible or feasible to add %{home} for client keytab files or
pkinit certificates?
###
### the kdc.conf file includes these lines:
pkinit_anchors = DIR:/local/package/krb5/ssl/certs.root
pkinit_pool = DIR:/local/package/krb5/ssl/certs.pool
pkinit_identity = DIR:/local/package/krb5/ssl/private
###
cd /local/package/krb5/ssl/certs.root
+cd /local/package/krb5/ssl/certs.root
ls -la
+ls -la
total 0
drwxr-xr-x 2 root root 32 2014-05-27 15:14 .
drwxr-xr-x 5 root root 32 2014-05-26 12:28 ..
lrwxrwxrwx 1 root root 16 2014-05-27 15:14 a51f0729.0 ->
root.ca.cert.pem
lrwxrwxrwx 1 root root 46 2014-05-27 00:16 root.ca.cert.pem ->
/config/common.ssl/certs.root/root.ca.cert.pem
cd /local/package/krb5/ssl/certs.pool
+cd /local/package/krb5/ssl/certs.pool
ls -la
+ls -la
total 4
drwxr-xr-x 2 root root 16 2014-06-06 23:54 .
drwxr-xr-x 5 root root 32 2014-05-26 12:28 ..
lrwxrwxrwx 1 root root 16 2014-06-06 23:54 15ef1ba1.0 ->
krb5.ca.cert.pem
-rw-r--r-- 1 root root 2013 2014-05-27 14:44 krb5.ca.cert.pem
cd /home/test/.krb5.id
+ cd /home/test/.krb5.id
ls -al
+ ls -al
total 12
drwx------ 6 test test 72 2014-06-07 17:11 .
drwx------ 5 test test 4096 2014-06-07 18:12 ..
drwx------ 2 test test 8 2014-06-07 17:29 certs
-rw------- 1 test test 0 2014-06-07 16:58 index.txt
drwx------ 2 test test 1 2014-06-07 16:58 newcerts
drwx------ 2 test test 8 2014-06-07 17:25 private
drwx------ 2 test test 8 2014-06-07 17:26 requests
lrwxrwxrwx 1 test test 36 2014-06-07 17:10 my-principal.crt ->
certs/krb5.usr.my-principal.cert.pem
lrwxrwxrwx 1 test test 24 2014-06-07 17:10 my-principal.key ->
private/krb5.usr.key.pem
###
i originally made my private key require a password. that seemed
to make the kinit process fail with a message, so i tried it again
with no password. that also failed, but later in the process.
is it possible to allow the certificate key to require a password?
this one used no password.
###
head my-principal.key
+ head my-principal.key
-----BEGIN PRIVATE KEY-----
MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQCfLR9Ytt7bBAI0
...
head my-principal.crt
+ head my-principal.crt
-----BEGIN CERTIFICATE-----
MIIGFjCCA/6gAwIBAgIJAKdOc11tq6uxMA0GCSqGSIb3DQEBCwUAMGcxCzAJBgNV
...
openssl x509 -text -in my-principal.crt
+ openssl x509 -text -in my-principal.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 12055700097626516401 (0xa74e735d6dababb1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=na, O=domain.name, OU=krb5 ca,
CN=hostname.domain.name
Validity
Not Before: Jun 7 21:28:23 2014 GMT
Not After : Jun 10 00:00:00 2014 GMT
Subject: C=US, ST=na, O=domain.name, OU=krb5 client, CN=client =
my/principal
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:9f:2d:1f:58:b6:de:db:04:02:34:c2:c7:04:c1:
...
a4:49:e9
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Key Encipherment, Key Agreement
X509v3 Extended Key Usage:
1.3.6.1.5.2.3.4
X509v3 Subject Key Identifier:
F0:14:9B:31:CD:0E:9B:F3:D9:ED:5E:31:90:95:40:31:28:DF:1F:D0
X509v3 Authority Key Identifier:
keyid:1C:D9:AC:3F:8F:7D:93:EA:78:F5:44:2E:F4:F0:02:7E:CD:B8:80:04
X509v3 Issuer Alternative Name:
<EMPTY>
X509v3 Subject Alternative Name:
othername:<unsupported>
Signature Algorithm: sha256WithRSAEncryption
36:ea:21:9a:b6:1e:ec:25:1d:bb:c5:b7:c4:ca:40:47:f3:94:
...
59:f1:71:4c:8b:d2:19:52
-----BEGIN CERTIFICATE-----
MIIGFjCCA/6gAwIBAgIJAKdOc11tq6uxMA0GCSqGSIb3DQEBCwUAMGcxCzAJBgNV
...
zPPusRGo9Aejli+4ifpoDeG8WfFxTIvSGVI=
-----END CERTIFICATE-----
### on kerberos-5.12.1 kdc: KRB5_TRACE=/dev/stdout krb5kdc -n
### on kerberos-5.12.1 kdc: kadmin.local
kadmin.local: getprinc my/principal
Principal: my/principal at DOMAIN.NAME
Expiration date: [never]
Last password change: Thu May 29 21:19:48 EDT 2014
Password expiration date: [none]
Maximum ticket life: 0 days 01:00:00
Maximum renewable life: 0 days 12:00:00
Last modified: Sat Jun 07 16:56:09 EDT 2014 (root/admin at DOMAIN.NAME)
Last successful authentication: Fri May 30 10:46:27 EDT 2014
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 0
MKey: vno 1
Attributes: DISALLOW_POSTDATED DISALLOW_FORWARDABLE DISALLOW_PROXIABLE
REQUIRES_PRE_AUTH
Policy: [none]
kadmin.local:
###
i also ran: 'purgekeys -all my/principal'
###
KRB5_TRACE=/dev/stdout kinit my/principal
### long lines borken up for readability
+ kinit my/principal
+ KRB5_TRACE=/dev/stdout
[2081] 1402179276.102049: Getting initial credentials for
my/principal at DOMAIN.NAME
[2081] 1402179276.107106: Sending request (186 bytes) to DOMAIN.NAME
[2081] 1402179276.107637: Resolving hostname kdc.domain.name
[2081] 1402179276.109412: Sending initial UDP request to dgram
1.2.3.5:88
[2081] 1402179276.110392: Received answer (265 bytes) from dgram
1.2.3.5:88
[2081] 1402179276.110688: Response was from master KDC
[2081] 1402179276.110963: Received error from KDC:
-1765328359/Additional pre-authentication required
[2081] 1402179276.111264: Processing preauth types: 16, 15, 14, 136,
147, 133
[2081] 1402179276.111494: Received cookie: MIT
[2081] 1402179276.111752: PKINIT client has no configured identity;
giving up
[2081] 1402179276.112019: Preauth module pkinit (147) (info)
returned: 0/Success
[2081] 1402179276.112265: PKINIT client has no configured identity;
giving up
[2081] 1402179276.112491: Preauth module pkinit (16) (real)
returned: 22/Invalid argument
[2081] 1402179276.112757: PKINIT client has no configured identity;
giving up
[2081] 1402179276.113097: Preauth module pkinit (14) (real)
returned: 22/Invalid argument
[2081] 1402179276.113332: PKINIT client has no configured identity;
giving up
[2081] 1402179276.113548: Preauth module pkinit (14) (real)
returned: 22/Invalid argument
kinit: Invalid argument while getting initial credentials
### krb5kdc output: none
### /var/log/messages related to kinit:
Jun 7 18:14:36 kdc krb5kdc[6158]: AS_REQ (2 etypes {18 26})
1.2.3.4: NEEDED_PREAUTH: my/principal at DOMAIN.NAME for
krbtgt/DOMAIN.NAME at DOMAIN.NAME, Additional pre-authentication required
###
this seemed odd to me, especially in view of the
pkinit_identity = DIR:/home/%{username}/.krb5.id
line in the krb5.conf file. so i ran a second test, and got
slightly different results. those different results make me
wonder if the %{username} entry does not quite work as
expected.
###
sleep 5
+ sleep 5
date
+ date
Sat Jun 7 18:14:41 EDT 2014
sleep 5
+ sleep 5
KRB5_TRACE=/dev/stdout kinit \
-X X509_user_identity=DIR:/home/test/.krb5.id my/principal
+ kinit -X X509_user_identity=DIR:/home/test/.krb5.id my/principal
+ KRB5_TRACE=/dev/stdout
[2083] 1402179286.136613: Getting initial credentials for
my/principal at DOMAIN.NAME
[2083] 1402179286.137022: Sending request (186 bytes) to DOMAIN.NAME
[2083] 1402179286.137132: Resolving hostname kdc.domain.name
[2083] 1402179286.138697: Sending initial UDP request to dgram
1.2.3.5:88
[2083] 1402179286.139653: Received answer (265 bytes) from dgram
1.2.3.5:88
[2083] 1402179286.139995: Response was from master KDC
[2083] 1402179286.140285: Received error from KDC:
-1765328359/Additional pre-authentication required
[2083] 1402179286.140615: Processing preauth types: 16, 15, 14, 136,
147, 133
[2083] 1402179286.140874: Received cookie: MIT
[2083] 1402179286.141684: Preauth module pkinit (147) (info) returned:
0/Success
[2083] 1402179286.143752: PKINIT client computed kdc-req-body
checksum 9/01AEFE2BB643A84AD1A237E0D934C7BB8896ED67
[2083] 1402179286.144170: PKINIT client making DH request
[2083] 1402179286.188799: Preauth module pkinit (16) (real) returned:
0/Success
[2083] 1402179286.189322: Produced preauth for next request: 133, 16
[2083] 1402179286.189651: Sending request (5241 bytes) to DOMAIN.NAME
[2083] 1402179286.189953: Resolving hostname kdc.domain.name
[2083] 1402179286.190807: Initiating TCP connection to stream 1.2.3.5:88
[2083] 1402179286.191375: Sending TCP request to stream 1.2.3.5:88
[2083] 1402179286.193202: Received answer (185 bytes) from stream
1.2.3.5:88
[2083] 1402179286.193640: Response was from master KDC
[2083] 1402179286.193942: Received error from KDC:
-1765328309/Client name mismatch
kinit: Client name mismatch while getting initial credentials
### krb5kdc output: none
### /var/log/messages related to kinit:
Jun 7 18:14:46 kdc krb5kdc[6158]: AS_REQ (2 etypes {18 26})
1.2.3.4: NEEDED_PREAUTH: my/principal at DOMAIN.NAME for
krbtgt/DOMAIN.NAME at DOMAIN.NAME, Additional pre-authentication
required
Jun 7 18:14:46 kdc krb5kdc[6158]: preauth (pkinit) verify failure:
Client name mismatch
Jun 7 18:14:46 kdc krb5kdc[6158]: AS_REQ (2 etypes {18 26})
1.2.3.4: PREAUTH_FAILED: my/principal at DOMAIN.NAME for
krbtgt/DOMAIN.NAME at DOMAIN.NAME, Client name mismatch
Jun 7 18:14:46 kdc krb5kdc[6158]: closing down fd 12
hostname(test) 2 $
Script done on Sat 07 Jun 2014 06:14:48 PM EDT
i think this indicates i got most of the way through the pkinit
process before <whatever> blew up. if i remember correctly, the
'Client name mismatch' message made me look at what went into the
openssl certificates and raised my earlier questions about pkinit.
since the certificate to principal mapping does not exist, and
since openssl x509 -text does not properly format the kerberos
extensions, how can i tell just what blew up and where? and,
perhaps most important, how can i fix it?
any questions, comments, or suggestions?
thank you for your time and assistance.
frank smith
--
http://www.fastmail.fm - Access all of your messages and folders
wherever you are
More information about the Kerberos
mailing list