Using Smartcard with PK-INIT does not respond

Wed Mar 4 08:46:20 EST 2009

On Wed, Mar 4, 2009 at 1:49 AM, Loren M. Lang <lorenl at north-winds.org> wrote:
> I am trying to enable smartcard logins to a MIT Kerberos domain using
> the recent PK-INIT preauth plugin.  I am using Ubuntu 8.10 with it's
> stock Kerberos 1.6.4 packages except for pkinit.so recompiled with
> -DDEBUG.  I have a server certificate installed on the KDC with the
> extended key usage id_pkinit_KPKdc and an appropriate subjectAltName.
> There is one intermediate certificate between it and the root CA.
> Client certificates were generated similarly only with the
> id_pkinit_KPClientAuth key usage and have two intermediates between it
> and the same root CA.  The client certificates are installed on a smart
> card using opensc and are also enabled for the clientAuth key usage for
> SSL client authentication.  I also have intermediate CAs and the root CA
> installed on the smart card as well.  Firefox is able to see the smart
> card including all intermediates and root CAs and is able to use it to
> authenticate against a SSL website.  Running kinit with debugging output
> I was able see that is was complaining that the smart card had four
> matching certs.  It did not filter out certificates missing the
> appropriable key usages or missing subjectAltName, maybe that's typical.
> I setup a pkinit_cert_match to filter out the other certificates and now
> kinit reports finding exactly one match, but bails out later due to
> missing intermediate certificates so I setup pkinit_pool to point
> to /etc/ssl/certs with appropriate certificates.  It did not seem to use
> the intermediates already on the smart card, is this normal?

Normal is subjective ;-)   There is no code to deal with intermediates
or root CAs that might be found on the smartcard.

> Now kinit
> was complaining about some broken symlinks that exist
> under /etc/ssl/certs and it bails out.  Shouldn't these just be ignored?

I thought anything that wasn't a cert was ignored w/o bailing, but
this might have been missed.

> This symlinks point to missing certificates that have nothing to do with
> the pki infrastructure I am using, but once I moved the symlinks out of
> the way, kinit continued and finally sent out an AS-REQ with the PK-INIT
> preauth data, but received no response.  According to Wireshark,
> following the initial AS-REQ with no preauth, the server responds with a
> NEEDED_PREAUTH error listing six preauth types including PA-PK-AS-REQ
> and PA-PK-AS-REP.  The client then sends a single IP fragment response.
> The fragment has a payload of 1480 bytes with flag more fragments, but
> no further fragments are sent.  I have no firewall rules installed and
> am at a loss as to why there are no more fragments.

I'm not sure what might be happening here.  This would just be a
work-around, but is it possible for you to try using TCP rather than
UDP?

K.C.