Using Smartcard with PK-INIT does not respond

Loren M. Lang lorenl at
Wed Mar 4 01:49:34 EST 2009

I am trying to enable smartcard logins to a MIT Kerberos domain using
the recent PK-INIT preauth plugin.  I am using Ubuntu 8.10 with it's
stock Kerberos 1.6.4 packages except for recompiled with
-DDEBUG.  I have a server certificate installed on the KDC with the
extended key usage id_pkinit_KPKdc and an appropriate subjectAltName.
There is one intermediate certificate between it and the root CA.
Client certificates were generated similarly only with the
id_pkinit_KPClientAuth key usage and have two intermediates between it
and the same root CA.  The client certificates are installed on a smart
card using opensc and are also enabled for the clientAuth key usage for
SSL client authentication.  I also have intermediate CAs and the root CA
installed on the smart card as well.  Firefox is able to see the smart
card including all intermediates and root CAs and is able to use it to
authenticate against a SSL website.  Running kinit with debugging output
I was able see that is was complaining that the smart card had four
matching certs.  It did not filter out certificates missing the
appropriable key usages or missing subjectAltName, maybe that's typical.
I setup a pkinit_cert_match to filter out the other certificates and now
kinit reports finding exactly one match, but bails out later due to
missing intermediate certificates so I setup pkinit_pool to point
to /etc/ssl/certs with appropriate certificates.  It did not seem to use
the intermediates already on the smart card, is this normal?  Now kinit
was complaining about some broken symlinks that exist
under /etc/ssl/certs and it bails out.  Shouldn't these just be ignored?
This symlinks point to missing certificates that have nothing to do with
the pki infrastructure I am using, but once I moved the symlinks out of
the way, kinit continued and finally sent out an AS-REQ with the PK-INIT
preauth data, but received no response.  According to Wireshark,
following the initial AS-REQ with no preauth, the server responds with a
NEEDED_PREAUTH error listing six preauth types including PA-PK-AS-REQ
and PA-PK-AS-REP.  The client then sends a single IP fragment response.
The fragment has a payload of 1480 bytes with flag more fragments, but
no further fragments are sent.  I have no firewall rules installed and
am at a loss as to why there are no more fragments.

Loren M. Lang
lorenl at

Public Key:
Fingerprint: 10A0 7AE2 DAF5 4780 888A  3FA4 DCEE BB39 7654 DE5B

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
Url :

More information about the Kerberos mailing list