Authenticating on kerberos via certifates
Douglas E. Engert
deengert at anl.gov
Thu Jan 10 10:06:46 EST 2008
Andrea wrote:
> Hi all,
> I'm facing with this problem:
>
> I have a working authentication configure system that uses Kerberos
> for authentication. The credentials that have to be passed in order to
> obtain a TGT are username and password. Now I'm looking for some hint
> on how to authenticate on kerberos through certificates like X.509.
>
> This is what I want:
>
> Let's assume that an user has a valid certificate created by a CA. The
> user can authenticate himself without prompting any user/pwd but just
> having the certificate. According to you is it possible to construct
> an intermediate layer between the user and kerberos which maps the
> certificates in credentials allowing Kerberos to authenticate the user
> himself.
Yes, that is called PKINIT, Heimdal and MIT have just introduced this
late last year. Windows has also supported this since W2000, as smart
card login. All three have clients and KDCs, and can intreroperate.
On Unix for login at the console you will also need a pam_krb5 like
http://www.eyrie.org/~eagle/software/pam-krb5/
Usually the certificate and private key are on a smartcard. So also see
http://www.opensc-project.org/
>
> Thanks in advance,
> Andrea
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the Kerberos
mailing list