kerberos, pre_auth, and smartcards
Bram Cymet
bcymet at cbnco.com
Tue Jul 27 15:33:32 EDT 2010
Hi,
I have been able to get kinit to (sort of) talk to my smartcard.
By specifying the X509_user_identity on the command line kinit will ask
me for the pin of the smart card and log into the smartcard (using
opensc_pkcs11) but then it will do nothing else with the smartcard. It
will then ask for my password and my kdc will happily issue me a ticket.
Even if I give the wrong PIN for the smartcard I can still get a ticket.
What really worries me is that NEEDED_PREAUTH is set for the principle
that I am using and "Additional pre-authentication required" is sent
back with the first AS_REQ but no matter what I do the kdc will issue a
ticket as long as I give it the correct password.
It is my understanding that with pre_auth required pkinit should be used
and there should be some type of certificate verification correct? This
does not seem to be going on here. I have not specified a client cert
and I know it is not getting the cert off the smartcard. Is my
interpretation of pre_auth required incorrect?
I am using MIT Kerberos compiled from the latest released source.
If more information is need let me know.
Any ideas what could be going on?
Thanks,
--
Bram Cymet
Software Developer
Canadian Bank Note Co. Ltd.
Cell: 613-608-9752
More information about the Kerberos
mailing list