[Fwd: Re: problem in sending AS_REQ]

Kevin Coffman kwc at umich.edu
Wed May 28 10:05:02 EDT 2008


On Wed, May 28, 2008 at 9:06 AM, naveen.bn <naveen.bn at globaledgesoft.com> wrote:
> Kevin Coffman wrote:
>
> On Tue, May 27, 2008 at 11:09 AM, naveen.bn
> <naveen.bn at globaledgesoft.com> wrote:
>
>
> ---------- Forwarded message ----------
> From: "naveen.bn" <naveen.bn at globaledgesoft.com>
> To: Kevin Coffman <kwc at umich.edu>
> Date: Tue, 27 May 2008 15:06:25 +0000
> Subject: Re: problem in sending AS_REQ
> Kevin Coffman wrote:
>
>
>
> On Mon, May 26, 2008 at 12:02 PM, naveen.bn
> <naveen.bn at globaledgesoft.com> wrote:
>
>
>
> hi all,
> This is my krb5.conf
> *********************  krb5.conf ******************************
> [libdefaults]
>  default_realm = _kerberos._udp.globaledgesoft.com
>  krb4_config = /usr/kerberos/lib/krb.conf
>  krb5_realms = /usr/kerberos/lib/krb.realms
>  pkinit_anchors  = FILE:/secure/ca-cert.pem
>
> [realms]
>   _kerberos._udp.globaledgesoft.com = {
>      admin_server = 172.16.8.141
>      kdc = 172.16.8.141
>      v4_instance_convert = {
>          gesl =  _kerberos._udp.globaledgesoft.com
>          lithium = lithium.lcs. _kerberos._udp.globaledgesoft.com
>      }
>
>  pkinit_identity = FILE:/secure/mycert.pem,/secure/mycert.key
>
>  }
>  ANDREW.CMU.EDU = {
>      admin_server = 172.16.8.141
>  }
> # use "kdc =" if realm admins haven't put SRV records into DNS
>      GNU.ORG = {
>              kdc = 172.16.8.141
>              kdc = 172.16.9.141
>              admin_server = 172.16.8.141
>      }
>
> [domain_realm]
>  .globaledgesoft.com = _kerberos._udp.globaledgesoft.com
>  globaledgesoft.com = _kerberos._udp.globaledgesoft.com
>
> [logging]
> #    kdc = CONSOLE
>  kdc=FILE:/var/krb5kdc.log
>  admin_server = FILE:/var/log/kadmin.log
>      default = FILE:/var/log/krb5lib.log
> ***********************************************************************
> and this is my kdc.conf
> [kdcdefaults]
>  kdc_ports = 750,88
>  pkinit_identity=FILE:/secure/mycert.crt,/secure/mycert.key
>  pkinit_anchors=DIR:/secure/ca-cert.pem
>
>
>
> For pkinit_anchors, you are specifying "DIR:", but giving a file name?
>
>
>
>
> [realms]
> _kerberos._udp.globaledgesoft.com = {
>      database_name = /usr/local/var/krb5kdc/principal
>      admin_keytab = FILE:/usr/local/var/krb5kdc/kadm5.keytab
>      acl_file = /usr/local/var/krb5kdc/kadm5.acl
>      key_stash_file =
> /usr/local/var/krb5kdc/.k5._kerberos._udp.globaledgesoft.com
>      kdc_ports = 750,88
>      max_life = 10h 0m 0s
>      max_renewable_life = 7d 0h 0m 0s
>
>  pkinit_identity=FILE:/secure/mycert.crt,/secure/mycert.key
>  pkinit_anchors=DIR:/secure/ca-cert.pem
>  }
>
> ***************************************** kdc.conf **********************
> I have used openssl program to generate the mycert.pem and key , but i
> have not signed it with any ( neither self nor with ca ).
>
>
>
> I'm not sure what you mean here.  A certificate must be signed by
> someone/something.  The client will not attempt preauth if the
> server's certificate is not trusted.
>
>
>
>
> kinit -X X509_user_identity=FILE:/secure/mycert.pem,/secure/mycert.key
> naveen
> kinit(v5): Unknown code u8JW 88 while setting
> 'X509_user_identity'='FILE:/secure/mycert.pem,/secure/mycert.key
>
>
>
> Obviously, there is a problem with that error code.
>
>
>
>
> i am not able to send AS_REQ with pa data filled with certificates .
> I am stuck her, please help me .
>
> thank you .
>
> with regards
> naveen
>
>
>
> The MIT client will not send pkinit information until the server
> indicates it will accept it.  The server does this by indicating that
> the client principal requires preauthentication, and that pkinit is an
> acceptable form of preauthentication.
>
> Does the client principal have the requires_preauth flag set?  Is the
> server telling the client that pkinit is an acceptable preauth method?
>
>
>
>
> Hi kevin,
>
> Thank you for your replay it helped me.  I had not set requires preauth flag
> for the client.  Now that i have set the flag i am getting the
> KRB5KDC_ERR_PREAUTH_REQUIRED message from the kdc and then the client sends
> a padata with encrypted timestamp and i am getting the ticket.  But i want
> to send certificates to kdc
> and get the kdc certificates with dh parameters. pls kindly guide me .
> And this is the concept that i have understood, please coorect me if i am
> wrong .I need to generate the ca-cert.pem and ca-private.key using openssl
> tool.  Generate the RSA key for client like kdc.pem and kdc.key,
> then signing the kdc.pem with the ca-private.key to generate kdc certificate
> similarly for client and submite the paths of these files in there profiles
> right.
>
>
> The certificates don't have to be created using openssl, but that is
> one way of doing it.  If you do not currently have any PKI, then
> generating a self-signed CA certificate would be a good first step.
>
> This CA certificate can be used to sign a certificate for the KDC.
> The KDC's certificate must contain the proper Extended Key Usage (EKU)
> KeyPurposeId, to indicate it is intended to be used as a KDC
>
> >From section 3.2.4 of rfc4556:
>
>        id-pkinit-KPKdc OBJECT IDENTIFIER ::=
>          { iso(1) org(3) dod(6) internet(1) security(5) kerberosv5(2)
>            pkinit(3) keyPurposeKdc(5) }
>               -- Signing KDC responses.
>               -- Key usage bits that MUST be consistent:
>               -- digitalSignature.
>
> The client must possess the self-signed CA certificate, and have it
> listed as a trust anchor.
>
> If the reply from the KDC does not include pkinit as an acceptable
> preauth mechanism, then there is something wrong with your KDC
> configuration.  If it is listed, then there is something wrong with
> your client configuration such that it doesn't trust the KDC.
>
> This message has some pointers on creating certs for use with pkinit
> with openssl:
> http://mailman.mit.edu/pipermail/krbdev/2006-November/005180.html
>
> K.C.
>
>
>
> Hi Kevin,
>
> Thanks for your reply. I am still trying to send the AS_REQ with
> certificates(i.e., PA-PK-AS-REQ).
> I have changed my kdc.conf krb5.conf files as specified below .
> I have made use of the link you gave for configuring the openssl.cnf to
> generate the certificates.
>
> This is how my openssl.cnf looks like
> /********************* start of openssl.cnf *******************/
>
> # OpenSSL example configuration file.
> # This is mostly being used for generation of certificate requests.
> #
>
> # This definition stops the following lines choking if HOME isn't
> # defined.
> HOME			= .
> RANDFILE		= $ENV::HOME/.rnd
>
> # Extra OBJECT IDENTIFIER info:
> #oid_file		= $ENV::HOME/.oid
> oid_section		= new_oids
>
> [ new_oids ]
> [ ca ]
> default_ca	= CA_default		# The default ca section
>
> [ CA_default ]
>
> dir		= ./demoCA		# Where everything is kept
> certs		= $dir/certs		# Where the issued certs are kept
> crl_dir		= $dir/crl		# Where the issued crl are kept
> database	= $dir/index.txt	# database index file.
> new_certs_dir	= $dir/newcerts		# default place for new certs.
>
> certificate	= $dir/cacert.pem 	# The CA certificate
> serial		= $dir/serial 		# The current serial number
> crl		= $dir/crl.pem 		# The current CRL
> private_key	= $dir/private/cakey.pem # The private key
> RANDFILE	= $dir/private/.rand	# private random number file
>
> x509_extensions	= usr_cert		# The extentions to add to the cert
>
> default_days	= 10000			# how long to certify for
> default_crl_days= 30			# how long before next CRL
> default_md	= sha1			# which md to use.
> preserve	= no			# keep passed DN ordering
> policy		= policy_match
>
> [ policy_match ]
> countryName		= optional
> stateOrProvinceName	= optional
> organizationName	= optional
> organizationalUnitName	= optional
> commonName		= optional
> emailAddress		= optional
>
>
> [ policy_anything ]
> countryName		= optional
> stateOrProvinceName	= optional
> localityName		= optional
> organizationName	= optional
> organizationalUnitName	= optional
> commonName		= supplied
> emailAddress		= optional
>
> [ req ]
> default_bits		= 1024
> default_keyfile 	= privkey.pem
> distinguished_name	= req_distinguished_name
> attributes		= req_attributes
> x509_extensions	= v3_ca	# The extentions to add to the self signed cert
> string_mask = nombstr
>
> [ req_distinguished_name ]
> countryName			= Country Name (2 letter code)
> countryName_default		= IN
> countryName_min			= 2
> countryName_max			= 2
>
> 0.organizationName		= Organization Name (eg, company)
> 0.organizationName_default	= GlobalEdge Soft ltd
> organizationalUnitName		= Organizational Unit Name (eg, section)
> organizationalUnitName_default	=
> commonName			= Common Name (eg, YOUR name)
> commonName_max			= 64
>
> [ req_attributes ]
>
> [ usr_cert ]
>
> [ v3_req ]
> basicConstraints = CA:FALSE
> keyUsage = nonRepudiation, digitalSignature, keyEncipherment
>
> [ v3_ca ]
> subjectKeyIdentifier=hash
> authorityKeyIdentifier=keyid:always,issuer:always
> basicConstraints = CA:true
>
> [ crl_ext ]
> authorityKeyIdentifier=keyid:always,issuer:always
>
> [ kdc_cert ]
> basicConstraints=CA:FALSE
> keyUsage = nonRepudiation, digitalSignature, keyEncipherment, keyAgreement
> extendedKeyUsage = 1.3.6.1.5.2.3.5
> subjectKeyIdentifier=hash
> authorityKeyIdentifier=keyid,issuer
> issuerAltName=issuer:copy
> subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:kdc_princ_name
>
> [kdc_princ_name]
> realm = EXP:0, GeneralString:${ENV::REALM}
> principal_name = EXP:1, SEQUENCE:kdc_principal_seq
>
> [kdc_principal_seq]
> name_type = EXP:0, INTEGER:1
> name_string = EXP:1, SEQUENCE:kdc_principals
>
> [kdc_principals]
> princ1 = GeneralString:krbtgt
> princ2 = GeneralString:${ENV::REALM}
>
> [ client_cert ]
> basicConstraints=CA:FALSE
> keyUsage = digitalSignature, keyEncipherment, keyAgreement
> extendedKeyUsage =  1.3.6.1.5.2.3.4
> subjectKeyIdentifier=hash
> authorityKeyIdentifier=keyid,issuer
> subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:princ_name
> issuerAltName=issuer:copy
>
> [princ_name]
> realm = EXP:0, GeneralString:${ENV::REALM}
> principal_name = EXP:1, SEQUENCE:principal_seq
>
> [principal_seq]
> name_type = EXP:0, INTEGER:1
> name_string = EXP:1, SEQUENCE:principals
>
> [principals]
> princ1 = GeneralString:${ENV::CLIENT}
>
> /***************** End of openssl.cnf ***************************/
>
> I have set the environment variables REALM and CLIENT.
>
> I have used the following commands to generate the certificates.
>
> /************  CA certificates ***********/
> openssl genrsa -out ca.key 2048
> openssl req -new -key ca.key -out ca.csr
> openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt
>
> at the end of this i have ca.crt and ca.key which is self signed
>
> /************* END of CA crt **************/
>
> /************* Client certificate *********/
>
> openssl genrsa -out client.key 2048
> openssl req -new -key client.key -out client.csr
> openssl x509 -req -days 365 -in client.csr -signkey ca.key -extensions
> client_cert -out client.crt
>
> at the end of this i have client.crt and client.key which is signed by the
> ca.key
>
> /************* END of client crt ***********/
>
> /************* KDC certificate *************/
>
> openssl genrsa -out kdc.key 2048
> openssl req -new -key kdc.key -out kdc.csr
> openssl x509 -req -days 365 -in kdc.csr -signkey ca.key -extensions kdc_cert
> -out kdc.crt
>
> /************* END of KDC crt **************/
>
> I am running both client and server in the same machine.  I have kept the
> files {ca.crt,ca.key} in /ca , files
> {kdc.crt,kdc.key} in /key and files {client.crt,client.key} in /client
> directories.
>
>
> This is my new krb5.conf file.
> /****************************** start of Krb5.conf
> *************************/
>
> [libdefaults]
> 	default_realm = _kerberos._udp.globaledgesoft.com
> 	krb4_config = /usr/kerberos/lib/krb.conf
> 	krb4_realms = /usr/kerberos/lib/krb.realms
> 	pkinit_anchors  = DIR:/ca/
> 	
> 	
>
> [realms]
> 	 _kerberos._udp.globaledgesoft.com = {
> 		kdc = 172.16.8.141
> 		admin_server = 172.16.8.141
> 		pkinit_identity = DIR:/client/
> 		}
> [kdc]
> require-preauth = yes
> pkinit_identity = DIR:/kdc/
>
> [kadmin]
> require-preauth = yes
>
> [domain_realm]
> 	.globaledgesoft.com = _kerberos._udp.globaledgesoft.com
> 	globaledgesoft.com = _kerberos._udp.globaledgesoft.com
>
> [logging]
> 	kdc=FILE:/var/krb5kdc.log
> 	admin_server = FILE:/var/log/kadmin.log
>     	default = FILE:/var/log/krb5lib.log
>
> /********************************* end of krb5.conf
> **************************/
>
> This is my new kdc.conf file .
>
> /********************************* start of kdc.conf
> ******************************/
>
> [kdcdefaults]
> 	kdc_ports = 750,88
> 	pkinit_anchors = DIR:/ca/
> 	pkinit_identity = DIR:/kdc/
> [realms]
>   _kerberos._udp.globaledgesoft.com = {
> 		database_name = /usr/local/var/krb5kdc/principal
> 		admin_keytab = FILE:/usr/local/var/krb5kdc/kadm5.keytab
> 		acl_file = /usr/local/var/krb5kdc/kadm5.acl
> 		key_stash_file =
> /usr/local/var/krb5kdc/.k5._kerberos._udp.globaledgesoft.com
> 		kdc_ports = 750,88
> 		max_life = 10h 0m 0s
> 		max_renewable_life = 7d 0h 0m 0s
>
> 	pkinit_identity = FILE:/client/
> 	}
> [kdc]
> require-preauth = yes
> /********************************** end of kdc.conf
> ***********************************/
>
> I also tried to generate the certificates using the link
> http://acs.lbl.gov/~boverhof/openssl_certs.html
> and modified the kdc.conf and krb5.conf in place of specifying DIR, i have
> given the path of the file .pem
> and .key in the profiles but it still isn't working.
> I also have a doubt on whether to use .pem and .key format or .crt and .key
> format certificates,it would
> be helpful if i get some guidence in generating certificates.  Are the above
> configuration files right and
> please do guide me in case there is mistake. Can you please send a link for
> client configuration if i am
> wrong in configuring the client and/or kdc for pkinit and i am not using the
> smartcard.
>
> Thank you for support.
>
> With regards
> naveen

Unfortunately, I don't have the time right now to guide you.  Below is
an example of my test KDC's kdc.conf and client's krb5.conf.  As Russ
pointed out, your realm name is _highly_ unconventional, and is highly
likely to cause problems.  I don't know if it has anything to do with
any problems you are currently seeing.  Conventionally, your realm
name should be GLOBALEDGESOFT.COM (upper-case of your domain name).
Besides that, your config files look reasonable.  Without seeing the
contents of the /ca and /kdc directories, and the contents of the
certificates within them, I can't say more.

The contents of the cert and key files are expected to be in PEM
format.  Their names aren't important. See
http://www.mit.edu/~kerberos/krb5-1.6/krb5-1.6.3/doc/krb5-admin.html
for more info on the config options.

You *may* get more help by compiling the pkinit preauth plugin code
with -DDEBUG, which will cause it to print more information to stdout.

K.C.

----  example kdc.conf ----

[kdcdefaults]
    default_realm = KWCTEST.CITI.UMICH.EDU
    kdc_ports = 750,88
    kdc_tcp_ports = 88
    v4_mode = nopreauth

[realms]
    KWCTEST.CITI.UMICH.EDU = {
        database_name = /usr/local/krb5/var/krb5kdc/KWCTEST/principal
        admin_keytab = /usr/local/krb5/var/krb5kdc/KWCTEST/kadm5.keytab
        acl_file = /usr/local/krb5/var/krb5kdc/KWCTEST/kadm5.acl
        dict_file = /usr/local/krb5/var/krb5kdc/kadm5.dict
        key_stash_file =
/usr/local/krb5/var/krb5kdc/KWCTEST/.k5.KWCTEST.CITI.UMICH.EDU
        supported_enctypes = aes256-cts:normal aes128-cts:normal
des3-hmac-sha1:normal des-cbc-crc:normal des-cbc-crc:afs3
        kadmind_port = 749
        pkinit_pool = FILE:/etc/grid-security/certificates/ca-intermediates.crt
        pkinit_revoke = DIR:/etc/grid-security/certificates
      pkinit_identity=FILE:/usr/local/krb5/var/krb5kdc/KWCTEST/kwctest_KDC.crt,/usr/local/krb5/var/krb5kdc/KWCTEST/kwctest_KDC.key
        pkinit_anchors=FILE:/etc/grid-security/certificates/ca-bundle.crt
        pkinit_anchors=FILE:/etc/grid-security/certificates/doe-ca.crt
        pkinit_allow_upn = true
        pkinit_eku_checking = none
    }


---- example krb5.conf ----
[logging]
  default = FILE:/var/log/krb5libs.log
  kdc = FILE:/var/log/krb5kdc.log
  admin_server = FILE:/var/log/kadmind.log

[libdefaults]
  default_realm = KWCTEST.CITI.UMICH.EDU
  dns_lookup_realm = true
  dns_lookup_kdc = true
  noaddresses = true
  no-addresses = true
  forwardable = true
  pkinit_anchors = DIR:/etc/grid-security/certificates

  KWCTEST.CITI.UMICH.EDU = {
    pkinit_require_eku = true
    pkinit_require_krbtgt_otherName = true
    pkinit_require_hostname_match = true
  }

[realms]

  KWCTEST.CITI.UMICH.EDU = {
    kdc = rock.citi.umich.edu
    admin_server = rock.citi.umich.edu
  }

[domain_realm]
 rock.citi.umich.edu = KWCTEST.CITI.UMICH.EDU
 roll.citi.umich.edu = KWCTEST.CITI.UMICH.EDU



More information about the Kerberos mailing list