Using Smartcard with PK-INIT does not respond

Douglas E. Engert deengert at
Wed Mar 4 10:48:09 EST 2009

Loren M. Lang wrote:
> I am trying to enable smartcard logins to a MIT Kerberos domain using
> the recent PK-INIT preauth plugin.  I am using Ubuntu 8.10 with it's
> stock Kerberos 1.6.4 packages except for recompiled with

Be careful here. If you renamed the old and copied
the new one in to the same directory, they might both get loaded!
The plugin code loads all the files it finds irregardless of name.

> I have a server certificate installed on the KDC with the
> extended key usage id_pkinit_KPKdc and an appropriate subjectAltName.
> There is one intermediate certificate between it and the root CA.
> Client certificates were generated similarly only with the
> id_pkinit_KPClientAuth key usage and have two intermediates between it
> and the same root CA.  The client certificates are installed on a smart
> card using opensc and are also enabled for the clientAuth key usage for
> SSL client authentication.  I also have intermediate CAs and the root CA
> installed on the smart card as well.  Firefox is able to see the smart
> card including all intermediates and root CAs and is able to use it to
> authenticate against a SSL website.  Running kinit with debugging output
> I was able see that is was complaining that the smart card had four
> matching certs.  It did not filter out certificates missing the
> appropriable key usages or missing subjectAltName, maybe that's typical.
> I setup a pkinit_cert_match to filter out the other certificates and now
> kinit reports finding exactly one match, but bails out later due to
> missing intermediate certificates so I setup pkinit_pool to point
> to /etc/ssl/certs with appropriate certificates.  It did not seem to use
> the intermediates already on the smart card, is this normal?  Now kinit
> was complaining about some broken symlinks that exist
> under /etc/ssl/certs and it bails out.  Shouldn't these just be ignored?
> This symlinks point to missing certificates that have nothing to do with
> the pki infrastructure I am using, but once I moved the symlinks out of
> the way, kinit continued and finally sent out an AS-REQ with the PK-INIT
> preauth data, but received no response.  According to Wireshark,
> following the initial AS-REQ with no preauth, the server responds with a
> NEEDED_PREAUTH error listing six preauth types including PA-PK-AS-REQ
> and PA-PK-AS-REP.  The client then sends a single IP fragment response.
> The fragment has a payload of 1480 bytes with flag more fragments, but
> no further fragments are sent.  I have no firewall rules installed and
> am at a loss as to why there are no more fragments.

As Kevin said, try TCP.

    udp_preference_limit = 1

will force use of TCP.

> ------------------------------------------------------------------------
> ________________________________________________
> Kerberos mailing list           Kerberos at


  Douglas E. Engert  <DEEngert at>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list