[Fwd: Re: problem in sending AS_REQ]

naveen.bn naveen.bn at globaledgesoft.com
Wed May 28 09:06:22 EDT 2008


Kevin Coffman wrote:

>On Tue, May 27, 2008 at 11:09 AM, naveen.bn
><naveen.bn at globaledgesoft.com> wrote:
>  
>
>>
>>---------- Forwarded message ----------
>>From: "naveen.bn" <naveen.bn at globaledgesoft.com>
>>To: Kevin Coffman <kwc at umich.edu>
>>Date: Tue, 27 May 2008 15:06:25 +0000
>>Subject: Re: problem in sending AS_REQ
>>Kevin Coffman wrote:
>>
>>    
>>
>>>On Mon, May 26, 2008 at 12:02 PM, naveen.bn
>>><naveen.bn at globaledgesoft.com> wrote:
>>>
>>>      
>>>
>>>>hi all,
>>>>This is my krb5.conf
>>>>*********************  krb5.conf ******************************
>>>>[libdefaults]
>>>> default_realm = _kerberos._udp.globaledgesoft.com
>>>> krb4_config = /usr/kerberos/lib/krb.conf
>>>> krb5_realms = /usr/kerberos/lib/krb.realms
>>>> pkinit_anchors  = FILE:/secure/ca-cert.pem
>>>>
>>>>[realms]
>>>>  _kerberos._udp.globaledgesoft.com = {
>>>>     admin_server = 172.16.8.141
>>>>     kdc = 172.16.8.141
>>>>     v4_instance_convert = {
>>>>         gesl =  _kerberos._udp.globaledgesoft.com
>>>>         lithium = lithium.lcs. _kerberos._udp.globaledgesoft.com
>>>>     }
>>>>
>>>> pkinit_identity = FILE:/secure/mycert.pem,/secure/mycert.key
>>>>
>>>> }
>>>> ANDREW.CMU.EDU = {
>>>>     admin_server = 172.16.8.141
>>>> }
>>>># use "kdc =" if realm admins haven't put SRV records into DNS
>>>>     GNU.ORG = {
>>>>             kdc = 172.16.8.141
>>>>             kdc = 172.16.9.141
>>>>             admin_server = 172.16.8.141
>>>>     }
>>>>
>>>>[domain_realm]
>>>> .globaledgesoft.com = _kerberos._udp.globaledgesoft.com
>>>> globaledgesoft.com = _kerberos._udp.globaledgesoft.com
>>>>
>>>>[logging]
>>>>#    kdc = CONSOLE
>>>> kdc=FILE:/var/krb5kdc.log
>>>> admin_server = FILE:/var/log/kadmin.log
>>>>     default = FILE:/var/log/krb5lib.log
>>>>***********************************************************************
>>>>and this is my kdc.conf
>>>>[kdcdefaults]
>>>> kdc_ports = 750,88
>>>> pkinit_identity=FILE:/secure/mycert.crt,/secure/mycert.key
>>>> pkinit_anchors=DIR:/secure/ca-cert.pem
>>>>
>>>>        
>>>>
>>>For pkinit_anchors, you are specifying "DIR:", but giving a file name?
>>>
>>>
>>>      
>>>
>>>>[realms]
>>>>_kerberos._udp.globaledgesoft.com = {
>>>>     database_name = /usr/local/var/krb5kdc/principal
>>>>     admin_keytab = FILE:/usr/local/var/krb5kdc/kadm5.keytab
>>>>     acl_file = /usr/local/var/krb5kdc/kadm5.acl
>>>>     key_stash_file =
>>>>/usr/local/var/krb5kdc/.k5._kerberos._udp.globaledgesoft.com
>>>>     kdc_ports = 750,88
>>>>     max_life = 10h 0m 0s
>>>>     max_renewable_life = 7d 0h 0m 0s
>>>>
>>>> pkinit_identity=FILE:/secure/mycert.crt,/secure/mycert.key
>>>> pkinit_anchors=DIR:/secure/ca-cert.pem
>>>> }
>>>>
>>>>***************************************** kdc.conf **********************
>>>>I have used openssl program to generate the mycert.pem and key , but i
>>>>have not signed it with any ( neither self nor with ca ).
>>>>
>>>>        
>>>>
>>>I'm not sure what you mean here.  A certificate must be signed by
>>>someone/something.  The client will not attempt preauth if the
>>>server's certificate is not trusted.
>>>
>>>
>>>      
>>>
>>>>kinit -X X509_user_identity=FILE:/secure/mycert.pem,/secure/mycert.key
>>>>naveen
>>>>kinit(v5): Unknown code u8JW 88 while setting
>>>>'X509_user_identity'='FILE:/secure/mycert.pem,/secure/mycert.key
>>>>
>>>>        
>>>>
>>>Obviously, there is a problem with that error code.
>>>
>>>
>>>      
>>>
>>>>i am not able to send AS_REQ with pa data filled with certificates .
>>>>I am stuck her, please help me .
>>>>
>>>>thank you .
>>>>
>>>>with regards
>>>>naveen
>>>>
>>>>        
>>>>
>>>The MIT client will not send pkinit information until the server
>>>indicates it will accept it.  The server does this by indicating that
>>>the client principal requires preauthentication, and that pkinit is an
>>>acceptable form of preauthentication.
>>>
>>>Does the client principal have the requires_preauth flag set?  Is the
>>>server telling the client that pkinit is an acceptable preauth method?
>>>
>>>
>>>      
>>>
>>Hi kevin,
>>
>>Thank you for your replay it helped me.  I had not set requires preauth flag
>>for the client.  Now that i have set the flag i am getting the
>>KRB5KDC_ERR_PREAUTH_REQUIRED message from the kdc and then the client sends
>>a padata with encrypted timestamp and i am getting the ticket.  But i want
>>to send certificates to kdc
>>and get the kdc certificates with dh parameters. pls kindly guide me .
>>And this is the concept that i have understood, please coorect me if i am
>>wrong .I need to generate the ca-cert.pem and ca-private.key using openssl
>>tool.  Generate the RSA key for client like kdc.pem and kdc.key,
>>then signing the kdc.pem with the ca-private.key to generate kdc certificate
>>similarly for client and submite the paths of these files in there profiles
>>right.
>>    
>>
>
>The certificates don't have to be created using openssl, but that is
>one way of doing it.  If you do not currently have any PKI, then
>generating a self-signed CA certificate would be a good first step.
>
>This CA certificate can be used to sign a certificate for the KDC.
>The KDC's certificate must contain the proper Extended Key Usage (EKU)
>KeyPurposeId, to indicate it is intended to be used as a KDC
>
>>From section 3.2.4 of rfc4556:
>
>       id-pkinit-KPKdc OBJECT IDENTIFIER ::=
>         { iso(1) org(3) dod(6) internet(1) security(5) kerberosv5(2)
>           pkinit(3) keyPurposeKdc(5) }
>              -- Signing KDC responses.
>              -- Key usage bits that MUST be consistent:
>              -- digitalSignature.
>
>The client must possess the self-signed CA certificate, and have it
>listed as a trust anchor.
>
>If the reply from the KDC does not include pkinit as an acceptable
>preauth mechanism, then there is something wrong with your KDC
>configuration.  If it is listed, then there is something wrong with
>your client configuration such that it doesn't trust the KDC.
>
>This message has some pointers on creating certs for use with pkinit
>with openssl:
>http://mailman.mit.edu/pipermail/krbdev/2006-November/005180.html
>
>K.C.
>
>  
>
Hi Kevin,

Thanks for your reply. I am still trying to send the AS_REQ with certificates(i.e., PA-PK-AS-REQ). 
I have changed my kdc.conf krb5.conf files as specified below . 
I have made use of the link you gave for configuring the openssl.cnf to generate the certificates.

This is how my openssl.cnf looks like 
/********************* start of openssl.cnf *******************/

# OpenSSL example configuration file.
# This is mostly being used for generation of certificate requests.
#

# This definition stops the following lines choking if HOME isn't
# defined.
HOME			= .
RANDFILE		= $ENV::HOME/.rnd

# Extra OBJECT IDENTIFIER info:
#oid_file		= $ENV::HOME/.oid
oid_section		= new_oids

[ new_oids ]
[ ca ]
default_ca	= CA_default		# The default ca section

[ CA_default ]

dir		= ./demoCA		# Where everything is kept
certs		= $dir/certs		# Where the issued certs are kept
crl_dir		= $dir/crl		# Where the issued crl are kept
database	= $dir/index.txt	# database index file.
new_certs_dir	= $dir/newcerts		# default place for new certs.

certificate	= $dir/cacert.pem 	# The CA certificate
serial		= $dir/serial 		# The current serial number
crl		= $dir/crl.pem 		# The current CRL
private_key	= $dir/private/cakey.pem # The private key
RANDFILE	= $dir/private/.rand	# private random number file

x509_extensions	= usr_cert		# The extentions to add to the cert

default_days	= 10000			# how long to certify for
default_crl_days= 30			# how long before next CRL
default_md	= sha1			# which md to use.
preserve	= no			# keep passed DN ordering
policy		= policy_match

[ policy_match ]
countryName		= optional
stateOrProvinceName	= optional
organizationName	= optional
organizationalUnitName	= optional
commonName		= optional
emailAddress		= optional


[ policy_anything ]
countryName		= optional
stateOrProvinceName	= optional
localityName		= optional
organizationName	= optional
organizationalUnitName	= optional
commonName		= supplied
emailAddress		= optional

[ req ]
default_bits		= 1024
default_keyfile 	= privkey.pem
distinguished_name	= req_distinguished_name
attributes		= req_attributes
x509_extensions	= v3_ca	# The extentions to add to the self signed cert
string_mask = nombstr

[ req_distinguished_name ]
countryName			= Country Name (2 letter code)
countryName_default		= IN
countryName_min			= 2
countryName_max			= 2

0.organizationName		= Organization Name (eg, company)
0.organizationName_default	= GlobalEdge Soft ltd
organizationalUnitName		= Organizational Unit Name (eg, section)
organizationalUnitName_default	= 
commonName			= Common Name (eg, YOUR name)
commonName_max			= 64

[ req_attributes ]

[ usr_cert ]

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment

[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints = CA:true

[ crl_ext ]
authorityKeyIdentifier=keyid:always,issuer:always

[ kdc_cert ]
basicConstraints=CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment, keyAgreement
extendedKeyUsage = 1.3.6.1.5.2.3.5
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
issuerAltName=issuer:copy
subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:kdc_princ_name

[kdc_princ_name]
realm = EXP:0, GeneralString:${ENV::REALM}
principal_name = EXP:1, SEQUENCE:kdc_principal_seq

[kdc_principal_seq]
name_type = EXP:0, INTEGER:1
name_string = EXP:1, SEQUENCE:kdc_principals

[kdc_principals]
princ1 = GeneralString:krbtgt
princ2 = GeneralString:${ENV::REALM}

[ client_cert ]
basicConstraints=CA:FALSE
keyUsage = digitalSignature, keyEncipherment, keyAgreement
extendedKeyUsage =  1.3.6.1.5.2.3.4
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:princ_name
issuerAltName=issuer:copy

[princ_name]
realm = EXP:0, GeneralString:${ENV::REALM}
principal_name = EXP:1, SEQUENCE:principal_seq

[principal_seq]
name_type = EXP:0, INTEGER:1
name_string = EXP:1, SEQUENCE:principals

[principals]
princ1 = GeneralString:${ENV::CLIENT}

/***************** End of openssl.cnf ***************************/

I have set the environment variables REALM and CLIENT.

I have used the following commands to generate the certificates.
 
/************  CA certificates ***********/
openssl genrsa -out ca.key 2048
openssl req -new -key ca.key -out ca.csr
openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt

at the end of this i have ca.crt and ca.key which is self signed 

/************* END of CA crt **************/

/************* Client certificate *********/

openssl genrsa -out client.key 2048
openssl req -new -key client.key -out client.csr
openssl x509 -req -days 365 -in client.csr -signkey ca.key -extensions client_cert -out client.crt

at the end of this i have client.crt and client.key which is signed by the ca.key

/************* END of client crt ***********/

/************* KDC certificate *************/

openssl genrsa -out kdc.key 2048
openssl req -new -key kdc.key -out kdc.csr
openssl x509 -req -days 365 -in kdc.csr -signkey ca.key -extensions kdc_cert -out kdc.crt

/************* END of KDC crt **************/

I am running both client and server in the same machine.  I have kept the files {ca.crt,ca.key} in /ca , files 
{kdc.crt,kdc.key} in /key and files {client.crt,client.key} in /client directories.
 

This is my new krb5.conf file.
/****************************** start of Krb5.conf *************************/

[libdefaults]
	default_realm = _kerberos._udp.globaledgesoft.com
	krb4_config = /usr/kerberos/lib/krb.conf
	krb4_realms = /usr/kerberos/lib/krb.realms
	pkinit_anchors  = DIR:/ca/
	
	

[realms]
	 _kerberos._udp.globaledgesoft.com = {
		kdc = 172.16.8.141
		admin_server = 172.16.8.141
		pkinit_identity = DIR:/client/
		}
[kdc]
require-preauth = yes
pkinit_identity = DIR:/kdc/

[kadmin]
require-preauth = yes

[domain_realm]
	.globaledgesoft.com = _kerberos._udp.globaledgesoft.com
	globaledgesoft.com = _kerberos._udp.globaledgesoft.com

[logging]
	kdc=FILE:/var/krb5kdc.log
	admin_server = FILE:/var/log/kadmin.log
    	default = FILE:/var/log/krb5lib.log

/********************************* end of krb5.conf **************************/

This is my new kdc.conf file .

/********************************* start of kdc.conf ******************************/

[kdcdefaults]
	kdc_ports = 750,88
	pkinit_anchors = DIR:/ca/
	pkinit_identity = DIR:/kdc/
[realms]
  _kerberos._udp.globaledgesoft.com = {
		database_name = /usr/local/var/krb5kdc/principal
		admin_keytab = FILE:/usr/local/var/krb5kdc/kadm5.keytab
		acl_file = /usr/local/var/krb5kdc/kadm5.acl
		key_stash_file = /usr/local/var/krb5kdc/.k5._kerberos._udp.globaledgesoft.com
		kdc_ports = 750,88
		max_life = 10h 0m 0s
		max_renewable_life = 7d 0h 0m 0s

	pkinit_identity = FILE:/client/
	}
[kdc]
require-preauth = yes
/********************************** end of kdc.conf ***********************************/


I also tried to generate the certificates using the link *http://acs.lbl.gov/~boverhof/openssl_certs.html* <http://acs.lbl.gov/%7Eboverhof/openssl_certs.html> 
and modified the kdc.conf and krb5.conf in place of specifying DIR, i have given the path of the file .pem 
and .key in the profiles but it still isn't working.
I also have a doubt on whether to use .pem and .key format or .crt and .key format certificates,it would 
be helpful if i get some guidence in generating certificates.  Are the above configuration files right and
please do guide me in case there is mistake. Can you please send a link for client configuration if i am 
wrong in configuring the client and/or kdc for pkinit and i am not using the smartcard. 

Thank you for support.

With regards
naveen












More information about the Kerberos mailing list