[Fwd: Re: problem in sending AS_REQ]

Kevin Coffman kwc at umich.edu
Tue May 27 17:13:43 EDT 2008


On Tue, May 27, 2008 at 11:09 AM, naveen.bn
<naveen.bn at globaledgesoft.com> wrote:
>
>
>
> ---------- Forwarded message ----------
> From: "naveen.bn" <naveen.bn at globaledgesoft.com>
> To: Kevin Coffman <kwc at umich.edu>
> Date: Tue, 27 May 2008 15:06:25 +0000
> Subject: Re: problem in sending AS_REQ
> Kevin Coffman wrote:
>
>> On Mon, May 26, 2008 at 12:02 PM, naveen.bn
>> <naveen.bn at globaledgesoft.com> wrote:
>>
>>>
>>> hi all,
>>> This is my krb5.conf
>>> *********************  krb5.conf ******************************
>>> [libdefaults]
>>>  default_realm = _kerberos._udp.globaledgesoft.com
>>>  krb4_config = /usr/kerberos/lib/krb.conf
>>>  krb5_realms = /usr/kerberos/lib/krb.realms
>>>  pkinit_anchors  = FILE:/secure/ca-cert.pem
>>>
>>> [realms]
>>>   _kerberos._udp.globaledgesoft.com = {
>>>      admin_server = 172.16.8.141
>>>      kdc = 172.16.8.141
>>>      v4_instance_convert = {
>>>          gesl =  _kerberos._udp.globaledgesoft.com
>>>          lithium = lithium.lcs. _kerberos._udp.globaledgesoft.com
>>>      }
>>>
>>>  pkinit_identity = FILE:/secure/mycert.pem,/secure/mycert.key
>>>
>>>  }
>>>  ANDREW.CMU.EDU = {
>>>      admin_server = 172.16.8.141
>>>  }
>>> # use "kdc =" if realm admins haven't put SRV records into DNS
>>>      GNU.ORG = {
>>>              kdc = 172.16.8.141
>>>              kdc = 172.16.9.141
>>>              admin_server = 172.16.8.141
>>>      }
>>>
>>> [domain_realm]
>>>  .globaledgesoft.com = _kerberos._udp.globaledgesoft.com
>>>  globaledgesoft.com = _kerberos._udp.globaledgesoft.com
>>>
>>> [logging]
>>> #    kdc = CONSOLE
>>>  kdc=FILE:/var/krb5kdc.log
>>>  admin_server = FILE:/var/log/kadmin.log
>>>      default = FILE:/var/log/krb5lib.log
>>> ***********************************************************************
>>> and this is my kdc.conf
>>> [kdcdefaults]
>>>  kdc_ports = 750,88
>>>  pkinit_identity=FILE:/secure/mycert.crt,/secure/mycert.key
>>>  pkinit_anchors=DIR:/secure/ca-cert.pem
>>>
>>
>> For pkinit_anchors, you are specifying "DIR:", but giving a file name?
>>
>>
>>>
>>> [realms]
>>> _kerberos._udp.globaledgesoft.com = {
>>>      database_name = /usr/local/var/krb5kdc/principal
>>>      admin_keytab = FILE:/usr/local/var/krb5kdc/kadm5.keytab
>>>      acl_file = /usr/local/var/krb5kdc/kadm5.acl
>>>      key_stash_file =
>>> /usr/local/var/krb5kdc/.k5._kerberos._udp.globaledgesoft.com
>>>      kdc_ports = 750,88
>>>      max_life = 10h 0m 0s
>>>      max_renewable_life = 7d 0h 0m 0s
>>>
>>>  pkinit_identity=FILE:/secure/mycert.crt,/secure/mycert.key
>>>  pkinit_anchors=DIR:/secure/ca-cert.pem
>>>  }
>>>
>>> ***************************************** kdc.conf **********************
>>> I have used openssl program to generate the mycert.pem and key , but i
>>> have not signed it with any ( neither self nor with ca ).
>>>
>>
>> I'm not sure what you mean here.  A certificate must be signed by
>> someone/something.  The client will not attempt preauth if the
>> server's certificate is not trusted.
>>
>>
>>>
>>> kinit -X X509_user_identity=FILE:/secure/mycert.pem,/secure/mycert.key
>>> naveen
>>> kinit(v5): Unknown code u8JW 88 while setting
>>> 'X509_user_identity'='FILE:/secure/mycert.pem,/secure/mycert.key
>>>
>>
>> Obviously, there is a problem with that error code.
>>
>>
>>>
>>> i am not able to send AS_REQ with pa data filled with certificates .
>>> I am stuck her, please help me .
>>>
>>> thank you .
>>>
>>> with regards
>>> naveen
>>>
>>
>> The MIT client will not send pkinit information until the server
>> indicates it will accept it.  The server does this by indicating that
>> the client principal requires preauthentication, and that pkinit is an
>> acceptable form of preauthentication.
>>
>> Does the client principal have the requires_preauth flag set?  Is the
>> server telling the client that pkinit is an acceptable preauth method?
>>
>>
>
> Hi kevin,
>
> Thank you for your replay it helped me.  I had not set requires preauth flag
> for the client.  Now that i have set the flag i am getting the
> KRB5KDC_ERR_PREAUTH_REQUIRED message from the kdc and then the client sends
> a padata with encrypted timestamp and i am getting the ticket.  But i want
> to send certificates to kdc
> and get the kdc certificates with dh parameters. pls kindly guide me .
> And this is the concept that i have understood, please coorect me if i am
> wrong .I need to generate the ca-cert.pem and ca-private.key using openssl
> tool.  Generate the RSA key for client like kdc.pem and kdc.key,
> then signing the kdc.pem with the ca-private.key to generate kdc certificate
> similarly for client and submite the paths of these files in there profiles
> right.

The certificates don't have to be created using openssl, but that is
one way of doing it.  If you do not currently have any PKI, then
generating a self-signed CA certificate would be a good first step.

This CA certificate can be used to sign a certificate for the KDC.
The KDC's certificate must contain the proper Extended Key Usage (EKU)
KeyPurposeId, to indicate it is intended to be used as a KDC

>From section 3.2.4 of rfc4556:

       id-pkinit-KPKdc OBJECT IDENTIFIER ::=
         { iso(1) org(3) dod(6) internet(1) security(5) kerberosv5(2)
           pkinit(3) keyPurposeKdc(5) }
              -- Signing KDC responses.
              -- Key usage bits that MUST be consistent:
              -- digitalSignature.

The client must possess the self-signed CA certificate, and have it
listed as a trust anchor.

If the reply from the KDC does not include pkinit as an acceptable
preauth mechanism, then there is something wrong with your KDC
configuration.  If it is listed, then there is something wrong with
your client configuration such that it doesn't trust the KDC.

This message has some pointers on creating certs for use with pkinit
with openssl:
http://mailman.mit.edu/pipermail/krbdev/2006-November/005180.html

K.C.



More information about the Kerberos mailing list