kerberos, pre_auth, and smartcards

Douglas E. Engert deengert at anl.gov
Tue Jul 27 17:06:27 EDT 2010



On 7/27/2010 2:33 PM, Bram Cymet wrote:
> Hi,
>
> I have been able to get kinit to (sort of) talk to my smartcard.
>
> By specifying the X509_user_identity on the command line kinit will ask
> me for the pin of the smart card and log into the smartcard (using
> opensc_pkcs11) but then it will do nothing else with the smartcard. It
> will then ask for my password and my kdc will happily issue me a ticket.
> Even if I give the wrong PIN for the smartcard I can still get a ticket.
>
> What really worries me is that NEEDED_PREAUTH is set for the principle
> that I am using and "Additional pre-authentication required" is sent
> back with the first AS_REQ but no matter what I do the kdc will issue a
> ticket as long as I give it the correct password.
>
> It is my understanding that with pre_auth required pkinit should be used
> and there should be some type of certificate verification correct? This
> does not seem to be going on here. I have not specified a client cert
> and I know it is not getting the cert off the smartcard. Is my
> interpretation of pre_auth required incorrect?
>
> I am using MIT Kerberos compiled from the latest released source.
>
> If more information is need let me know.
>
> Any ideas what could be going on?

You may also need changes to the krb5.conf file to add many of the
pkinit_* parameters.

Are you KDCs MIT, Heimdal or Windows?

A wireshark trace would be helpful.

OPENSC=/path/to/opensc
export PKCS11SPY=$OPENSC/lib/opensc-pkcs11.so
kinit -X X509_user_identity=PKCS11:module_name=$OPENSC/lib/pkcs11-spy.so -f <principal>

could show what pkcs11 activity is going on with your card.




>
> Thanks,
>

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444



More information about the Kerberos mailing list