kerberos, pre_auth, and smartcards

Kevin Coffman kwc at umich.edu
Tue Jul 27 16:05:50 EDT 2010 

PKINIT is one of many methods of pre-authentication.  Does the KDC
response to the client with "Additional pre-authentication required"
include PKINIT as an allowed pre-auth method?  (You'll probably need a
packet trace to determine this.)  If not, there is something wrong
with your KDC setup and it cannot process PKINIT.  If PKINIT pre-auth
is not available, then the next default is Timestamp which will prompt
for your password.

You should start with the KDC side and make sure it is correctly
configured and offering PKINIT as an acceptable pre-auth.  This may
require re-building the PKINIT plugin with -DDEBUG defined to get more
information.

K.C.


On Tue, Jul 27, 2010 at 3:33 PM, Bram Cymet <bcymet at cbnco.com> wrote:
> Hi,
>
> I have been able to get kinit to (sort of) talk to my smartcard.
>
> By specifying the X509_user_identity on the command line kinit will ask
> me for the pin of the smart card and log into the smartcard (using
> opensc_pkcs11) but then it will do nothing else with the smartcard. It
> will then ask for my password and my kdc will happily issue me a ticket.
> Even if I give the wrong PIN for the smartcard I can still get a ticket.
>
> What really worries me is that NEEDED_PREAUTH is set for the principle
> that I am using and "Additional pre-authentication required" is sent
> back with the first AS_REQ but no matter what I do the kdc will issue a
> ticket as long as I give it the correct password.
>
> It is my understanding that with pre_auth required pkinit should be used
> and there should be some type of certificate verification correct? This
> does not seem to be going on here. I have not specified a client cert
> and I know it is not getting the cert off the smartcard. Is my
> interpretation of pre_auth required incorrect?
>
> I am using MIT Kerberos compiled from the latest released source.
>
> If more information is need let me know.
>
> Any ideas what could be going on?
>
> Thanks,
>
> --
> Bram Cymet
> Software Developer
> Canadian Bank Note Co. Ltd.
> Cell: 613-608-9752
>
>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>

More information about the Kerberos mailing list