kinit pkinit question.
Matthew Andrews
matt at slackers.net
Sat Mar 1 01:46:14 EST 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
| Matt,
| The obvious question is whether your KDC is properly configured for
| pkinit? Also, is the client configured to require preauthentication?
| If so, the KDC should offer the pkinit preauth method to the client in
| a preauth-required message. Unlike the Heimdal client, the MIT client
| will not send padata automatically just because you specified
| pkinit_identity and pkinit_anchors.
|
| K.C.
|
|
well, I have the following in the kdc.conf in the realms stanza entry
for the realm in question:
~ pkinit_identity =
FILE:/opt/krb-1.6.3/var/krb5kdc/kdc_cert.pem,/opt/krb-1.6.3/var/krb5kdc/kdc_key.pem
~ pkinit_anchors=DIR:/opt/krb-1.6.3/var/krb5kdc/ca_certs/
the kdc certificate is as follows:
# openssl x509 -in /opt/krb-1.6.3/var/krb5kdc/kdc_cert.pem -noout -text
Certificate:
~ Data:
~ Version: 3 (0x2)
~ Serial Number: 12 (0xc)
~ Signature Algorithm: md5WithRSAEncryption
~ Issuer: O=Grid, OU=GlobusTest, OU=simpleCA-spirit.fake.domain,
CN=Globus Simple CA
~ Validity
~ Not Before: Oct 21 00:27:12 2007 GMT
~ Not After : Oct 20 00:27:12 2008 GMT
~ Subject: O=Grid, OU=GlobusTest, OU=simpleCA-spirit.fake.domain,
CN=krb5kdc/spirit.fake.domain
~ Subject Public Key Info:
~ Public Key Algorithm: rsaEncryption
~ RSA Public Key: (1024 bit)
~ Modulus (1024 bit):
~ 00:bf:55:45:e4:c7:0c:67:94:ec:4d:cc:0b:fb:38:
~ 21:2b:bd:a3:2b:db:31:89:2b:58:78:30:40:2c:4d:
~ 64:29:6d:96:67:b6:d2:fe:72:83:97:8a:6a:8a:d6:
~ 9d:c8:4f:81:61:a8:ab:e7:e4:f2:e8:c5:33:1a:85:
~ fd:f0:5c:55:cc:ec:cf:1e:48:27:d0:0c:92:c2:c2:
~ 50:db:03:7f:43:0e:b1:6d:2f:a1:8f:b7:8a:43:0c:
~ 2d:e0:1d:af:ac:af:2c:c3:79:bf:15:9f:20:43:ac:
~ 5c:c6:61:13:30:e1:59:fb:3e:5c:1e:34:06:0a:d9:
~ ba:4e:30:01:be:31:b6:28:f1
~ Exponent: 65537 (0x10001)
~ X509v3 extensions:
~ X509v3 Subject Alternative Name:
~ othername:<unsupported>
~ X509v3 Extended Key Usage:
~ 1.3.6.1.5.2.3.5
~ Signature Algorithm: md5WithRSAEncryption
~ 2c:08:fc:bb:9f:32:67:85:28:6e:d1:0f:17:73:3d:32:0b:e8:
~ 8b:19:df:a5:3e:99:44:da:77:94:d3:86:6b:b2:dc:39:2f:ec:
~ d9:25:6c:51:67:0d:f3:ac:9b:d2:98:11:3f:3e:3d:aa:32:56:
~ b2:bb:84:cd:78:9e:b9:e4:d8:f3:22:00:55:25:04:15:22:a1:
~ d3:7b:d0:98:da:ec:8c:50:dd:b3:02:1a:8a:52:43:c7:da:df:
~ 0a:af:43:f0:fe:99:26:d5:8b:bd:e3:b6:20:49:3e:1b:e8:13:
~ 90:c0:27:76:9c:31:56:5a:28:0c:3f:c7:ad:de:e6:13:0e:f7:
~ ef:39
and was created using the following extensions as specified in
openssl.conf format:
[ v3_kdc ]
subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:kdc_principal_seq
extendedKeyUsage=1.3.6.1.5.2.3.5
[ kdc_principal_seq ]
realm=UTF8:FSG.FAKE.DOMAIN
principalName=SEQUENCE:kdc_principal_name
[ kdc_principal_name ]
name-type=INTEGER:2
namestring=SEQUENCE:kdc_principal_name_strings
[ kdc_principal_name_strings ]
name=UTF8:krbtgt/FSG.FAKE.DOMAIN
when starting the kdc with the pkinit plugin built with the DEBUG symbol
defined, I see the following messages:
pkinit_server_plugin_init: processing realm 'FSG.NERSC.GOV'
pkinit_server_plugin_init_realm: initializing context at 0x80cc3f0 for
realm 'FSG.NERSC.GOV'
pkinit_init_plg_crypto: initializing openssl crypto context at 0x80d5510
pkinit_init_identity_crypto: returning ctx at 0x80d6590
pkinit_init_kdc_profile: entered for realm FSG.NERSC.GOV
pkinit_identity_initialize: 0x80c70e0 0x80d6650 0x80d6590
process_option_identity: processing value
'FILE:/opt/krb-1.6.3/var/krb5kdc/kdc_cert.pem,/opt/krb-1.6.3/var/krb5kdc/kdc_key.pem'
process_option_identity: idtype is FILE
process_option_ca_crl: processing catype ANCHORS, value
'DIR:/opt/krb-1.6.3/var/krb5kdc/ca_certs/'
crypto_load_cas_and_crls: called with idtype DIR and catype ANCHORS
no anchors in file,
/opt/krb-1.6.3/var/krb5kdc/ca_certs//grid-security.conf.29c870c0
no anchors in file,
/opt/krb-1.6.3/var/krb5kdc/ca_certs//globus-user-ssl.conf.29c870c0
pkinit_server_plugin_init_realm: returning context at 0x80cc3f0 for
realm 'FSG.NERSC.GOV'
pkinit_server_plugin_init: returning context at 0x80cc3e0
again I'm still not sure what I'm missing. I'm sure that in the end
it'll be something that I go "oh, DUH!" about but for now I don't see
it. Thanks for the help.
- -Matt Andrews
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iD8DBQFHyPu2pLF3UzlwZVgRAgahAKD0xcPJwzvWI1Rlav8jBfwOi4e6dgCgpoZO
fXOTe2uZATk0O7DE8hVps28=
=RyZj
-----END PGP SIGNATURE-----
More information about the Kerberos
mailing list