kinit pkinit question.

Matthew Andrews matt at slackers.net
Sat Mar 1 01:46:14 EST 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


| Matt,
| The obvious question is whether your KDC is properly configured for
| pkinit?  Also, is the client configured to require preauthentication?
| If so, the KDC should offer the pkinit preauth method to the client in
| a preauth-required message.  Unlike the Heimdal client, the MIT client
| will not send padata automatically just because you specified
| pkinit_identity and pkinit_anchors.
|
| K.C.
|
|

well, I have the following in the kdc.conf in the realms stanza entry
for the realm in question:

~  pkinit_identity =
FILE:/opt/krb-1.6.3/var/krb5kdc/kdc_cert.pem,/opt/krb-1.6.3/var/krb5kdc/kdc_key.pem
~  pkinit_anchors=DIR:/opt/krb-1.6.3/var/krb5kdc/ca_certs/

the kdc certificate is as follows:

# openssl x509 -in /opt/krb-1.6.3/var/krb5kdc/kdc_cert.pem -noout -text
Certificate:
~    Data:
~        Version: 3 (0x2)
~        Serial Number: 12 (0xc)
~        Signature Algorithm: md5WithRSAEncryption
~        Issuer: O=Grid, OU=GlobusTest, OU=simpleCA-spirit.fake.domain,
CN=Globus Simple CA
~        Validity
~            Not Before: Oct 21 00:27:12 2007 GMT
~            Not After : Oct 20 00:27:12 2008 GMT
~        Subject: O=Grid, OU=GlobusTest, OU=simpleCA-spirit.fake.domain,
CN=krb5kdc/spirit.fake.domain
~        Subject Public Key Info:
~            Public Key Algorithm: rsaEncryption
~            RSA Public Key: (1024 bit)
~                Modulus (1024 bit):
~                    00:bf:55:45:e4:c7:0c:67:94:ec:4d:cc:0b:fb:38:
~                    21:2b:bd:a3:2b:db:31:89:2b:58:78:30:40:2c:4d:
~                    64:29:6d:96:67:b6:d2:fe:72:83:97:8a:6a:8a:d6:
~                    9d:c8:4f:81:61:a8:ab:e7:e4:f2:e8:c5:33:1a:85:
~                    fd:f0:5c:55:cc:ec:cf:1e:48:27:d0:0c:92:c2:c2:
~                    50:db:03:7f:43:0e:b1:6d:2f:a1:8f:b7:8a:43:0c:
~                    2d:e0:1d:af:ac:af:2c:c3:79:bf:15:9f:20:43:ac:
~                    5c:c6:61:13:30:e1:59:fb:3e:5c:1e:34:06:0a:d9:
~                    ba:4e:30:01:be:31:b6:28:f1
~                Exponent: 65537 (0x10001)
~        X509v3 extensions:
~            X509v3 Subject Alternative Name:
~                othername:<unsupported>
~            X509v3 Extended Key Usage:
~                1.3.6.1.5.2.3.5
~    Signature Algorithm: md5WithRSAEncryption
~        2c:08:fc:bb:9f:32:67:85:28:6e:d1:0f:17:73:3d:32:0b:e8:
~        8b:19:df:a5:3e:99:44:da:77:94:d3:86:6b:b2:dc:39:2f:ec:
~        d9:25:6c:51:67:0d:f3:ac:9b:d2:98:11:3f:3e:3d:aa:32:56:
~        b2:bb:84:cd:78:9e:b9:e4:d8:f3:22:00:55:25:04:15:22:a1:
~        d3:7b:d0:98:da:ec:8c:50:dd:b3:02:1a:8a:52:43:c7:da:df:
~        0a:af:43:f0:fe:99:26:d5:8b:bd:e3:b6:20:49:3e:1b:e8:13:
~        90:c0:27:76:9c:31:56:5a:28:0c:3f:c7:ad:de:e6:13:0e:f7:
~        ef:39


and was created using the following extensions as specified in
openssl.conf format:

[ v3_kdc ]
subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:kdc_principal_seq
extendedKeyUsage=1.3.6.1.5.2.3.5
[ kdc_principal_seq ]
realm=UTF8:FSG.FAKE.DOMAIN
principalName=SEQUENCE:kdc_principal_name
[ kdc_principal_name ]
name-type=INTEGER:2
namestring=SEQUENCE:kdc_principal_name_strings
[ kdc_principal_name_strings ]
name=UTF8:krbtgt/FSG.FAKE.DOMAIN


when starting the kdc with the pkinit plugin built with the DEBUG symbol
defined, I see the following messages:

pkinit_server_plugin_init: processing realm 'FSG.NERSC.GOV'
pkinit_server_plugin_init_realm: initializing context at 0x80cc3f0 for
realm 'FSG.NERSC.GOV'
pkinit_init_plg_crypto: initializing openssl crypto context at 0x80d5510
pkinit_init_identity_crypto: returning ctx at 0x80d6590
pkinit_init_kdc_profile: entered for realm FSG.NERSC.GOV
pkinit_identity_initialize: 0x80c70e0 0x80d6650 0x80d6590
process_option_identity: processing value
'FILE:/opt/krb-1.6.3/var/krb5kdc/kdc_cert.pem,/opt/krb-1.6.3/var/krb5kdc/kdc_key.pem'
process_option_identity: idtype is FILE
process_option_ca_crl: processing catype ANCHORS, value
'DIR:/opt/krb-1.6.3/var/krb5kdc/ca_certs/'
crypto_load_cas_and_crls: called with idtype DIR and catype ANCHORS
no anchors in file,
/opt/krb-1.6.3/var/krb5kdc/ca_certs//grid-security.conf.29c870c0
no anchors in file,
/opt/krb-1.6.3/var/krb5kdc/ca_certs//globus-user-ssl.conf.29c870c0
pkinit_server_plugin_init_realm: returning context at 0x80cc3f0 for
realm 'FSG.NERSC.GOV'
pkinit_server_plugin_init: returning context at 0x80cc3e0



again I'm still not sure what I'm missing. I'm sure that in the end
it'll be something that I go "oh, DUH!" about but for now I don't see
it. Thanks for the help.

- -Matt Andrews
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFHyPu2pLF3UzlwZVgRAgahAKD0xcPJwzvWI1Rlav8jBfwOi4e6dgCgpoZO
fXOTe2uZATk0O7DE8hVps28=
=RyZj
-----END PGP SIGNATURE-----

More information about the Kerberos mailing list