Reg: pkinit with smartcard on kerberos V5

Douglas E. Engert deengert at anl.gov
Tue Feb 26 17:45:24 EST 2013



On 2/26/2013 3:39 PM, Lohit Valleru wrote:
> Dear Community,
>
> I assume, i have mailed to the right community list for these kind of
> questions. If i have mailed to the wrong location - may i please ask for
> the respective mailing address.
>
> I am a system administrator for a high performance cluster, and I am
> thinking of setting up a smartcard authentication with kerberos.
>
> I have already completed kerberos authentication implementation for users
> of the cluster,through kinit and gssapi.
>
> These are the steps that i have followed to setup pkinit with smartcard.
>
> 1. I have created a CA to issue the CA certificates, CAkey and use those to
> create the KDC certificates and Client certificaties as mentioned in the
> below link .
>
> http://web.mit.edu/kerberos/krb5-current/doc/admin/pkinit.html
>
> 2. However, in order to use smartcard along with PAM and kerberos
> authentication - i need to use the CAs given by our organization for the
> smart card, for which we do not have the CA key.

Your organization's CA can sign a certificate request created by the
key on the card or by the KDC. The signed request then becomes the certificate.
signed by the CA. You as the Kerberos admin don't need the CA's key.

>
> My question is : If we have to use the same CA for KDC, Client and
> Smartcard certificates? or if we could mention 2 different CA's to KDC for
> KDC,Client certificates and Smartcard certicate?

You can use different CAs. The client will need a copy of the CA certificate
that signed the KDC's certificate. The KDC needs a copy of the CA certificate
used to sign the smart card certificate. (simplest case.)

>
> In that way, It would be helpful - If KDC could use a self-generated CA
> certificate for the KDC and Client certificate, while it will use the
> Smartcard CA certificate for user login authentication with smart card.
>
> Also, may i know how we kinit using smartcard - in order to debug if the
> issue is with PAM login attempt or kerberos authentication.
>
> I would be happy to hear from you.

FYI, Windows AD 2003 and above can be used as a KDC and it can do PKINIT.
Windows 7 and above come come with all the software needed if you are
using certain types of smart cards (HSPD-12 PIV) cards for example.

Linux and Macs with Kerberos and PKINIT can use AD as the KDC.

We use some smart cards with certificates signed by our windows
enterprise CA, as well as government issued cards to login to Windows
or Unix.

What cards are you using?
What code to manager the cards?
What code to the cards?
What card readers?


>
> Thank you
>
> Lohit
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444


More information about the Kerberos mailing list