Smartcard logon using Unix KDC
Tim Alsop
Tim.Alsop at CyberSafe.Ltd.UK
Tue Jan 27 03:11:51 EST 2004
Robert,
As you have discovered, if you want to use the Windows GINA/WinLogon/SSP provided by Microsoft and logon via a UNIX KDC with a smart card you first need to make the workstation a member of a domain. The only solution I can think of is to develop a new gina which supports pkinit and bypasses the Microsoft code that does the same job - this will then work when workstation is not a member of a domain. We have done this on Windows NT, but our Win2k/XP product does not yet replace the gina. We are planning to address this requirement in the future, so I would be interested to find out how successful you are ?
Thanks,Tim.
-----Original Message-----
From: Prágai Róbert [mailto:pragai at rubin.hu]
Sent: 27 January 2004 08:03
To: Tim Alsop
Cc: kerberos at MIT.EDU
Subject: Re: Smartcard logon using Unix KDC
Hi Tim,
I use Heimdal KDC, which has a PKINIT extension. Although it works just in the Kerberos client - Windows KDC way with Windows, we plan (with Daniel Kouril) to extend its functionalities to work in the opposite direction, too. But the basic problem is that the Windows workstation assumes that if the logon is not a domain logon, then it cannot be a PKINIT logon as well. Maybe I should change the Kerberos SSP... (You probably have the right answer at Cybersafe :-)
thanks,
Robert
> Robert,
>
> For this to work, the UNIX KDC needs to support the PKINIT standard at
> the same draft level as Microsoft (I believe this is draft 9). Do you
> know if your KDC supports PKINIT ?
>
> Thanks, Tim.
>
> -----Original Message-----
> From: pragai at rubin.hu [mailto:pragai at rubin.hu]
> Sent: 26 January 2004 08:58
> To: kerberos at MIT.EDU
> Subject: Smartcard logon using Unix KDC
>
> Hi,
>
> I try to arrange an environment, where users can logon to a
> Kerberos realm from Windows 2000 workstations via smartcard logon.
>
> I've already reached a point where normal password logon works from
> Windows workstations to the Kerberos realm, and the smartcard logon
> works from the Windows workstations to the Windows domain.
>
> However when I tested the smartcard logon from a Windows
> workstation to the Kerberos KDC, the workstation initiated a normal
> password logon to the Unix KDC instead of smartcard logon (according
> to the network traffic). I repeat: I initiated a logon using the
> smartcard logon process, typed the PIN but the network flow between
> the workstation and the Unix KDC was similar to the normal password
> logon case.
>
> My questions: is it the intentional working mechanism of the
> Windows 2000 workstations that it initiates a normal password logon to
> Unix KDC's or I have missed something? If it is intentional, however
> what part of the security system is responsible for it: the GINA, the
> LSA, ths SSP, maybe the corresponding CSP or other? What should I
> change in the system to make this environment work?
>
> Has anyone have any experience with such an environment?
>
>
> thanks,
> Robert Pragai
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
More information about the Kerberos
mailing list