Reg: pkinit with smartcard on kerberos V5
lohitv9@gmail.com
lohitv9 at gmail.com
Sat Mar 9 12:48:23 EST 2013
Hello Douglas,
Thank you for your reply. It gives me a hope to solve the ongoing issue.
Please let me give an explanation of the environment that i am trying to use smart cards.
I would like to use both Linux(centos) and Windows as client machines
However, only Linux( centos) is used as our server operating systems. Centos is a Red hat linux variant.
I already have a full configured working setup of : OpenLDAP, GSSAPI, and Kerberos setup as the User authorization and authentication mechanism with windows and linux clients.
OpenLDAP repository is used as a principal database for Kerberos, so OpenLDAP(389-directory server) is used for authorization and Kerberos is used for authentication.
Users can login using password kerberos authentication with ssh and they will receive kerberos tickets with the current configuration.
However, i would like to get rid of passwords and use PIV card pkinit authentication with kerberos instead of using passwords.
I understand that AD and windows have a good implementation of pkinit but i do want to use AD for KDC or for directory service.
I have tried configuring KDC and clients with pkinit for client console login.
I would just want the users to get kerberos tickets when they login to Linux client console.
Initially - I have tried PAM authentication for smartcard and I was successful in using Smartcard CA for login using my smart card pin. So i can login using smartcard to all linux machines. However i also would want to get kerberos tickets once i login.
This is where PAM_krb5 and krb5.conf comes into the picture, and i have configured those too with respect to the pkinit configuration.
Now when i try to login ( after PAM is configured to use kerberos), i do get a prompt for entering my pin , but after i enter my pin - Kerberos still cannot authenticate me, with logs mentioning that :
" Decrypt integrity check failed "
I have searched the forums, and i understand that the above log message means that, KDC is not able to decrypt either because the password is wrong or it doesnt support the encryption used.
I am confused that, if PAM authentication can decrypt and allow me to login using the SMART card CA . Why is that KDC is not able to decrypt.
I could be that i did not configure the krb5.conf accurately.
If i can use kinit to initiate pkinit with smart card, i would then able to debug if this issue is related to kerberos only or pam and kerberos.
Please do help me with the respective kerberos configuration for smartcard.
MY smartcard info is as below :
Model : ID-One Cosmo 64 v5.2D Fast ATR with PIV application SDK
I do not know the code used inside the smartcard.
its uses signature algorithm: sha256rsa
Also please do find my comments as below .
Thank you for your help, and I would be happy to hear from you.
Regards,
Lohit
On Tuesday, February 26, 2013 5:45:24 PM UTC-5, Douglas E. Engert wrote:
> On 2/26/2013 3:39 PM, Lohit Valleru wrote:
>
> > Dear Community,
>
> >
>
> > I assume, i have mailed to the right community list for these kind of
>
> > questions. If i have mailed to the wrong location - may i please ask for
>
> > the respective mailing address.
>
> >
>
> > I am a system administrator for a high performance cluster, and I am
>
> > thinking of setting up a smartcard authentication with kerberos.
>
> >
>
> > I have already completed kerberos authentication implementation for users
>
> > of the cluster,through kinit and gssapi.
>
> >
>
> > These are the steps that i have followed to setup pkinit with smartcard.
>
> >
>
> > 1. I have created a CA to issue the CA certificates, CAkey and use those to
>
> > create the KDC certificates and Client certificaties as mentioned in the
>
> > below link .
>
> >
>
> > http://web.mit.edu/kerberos/krb5-current/doc/admin/pkinit.html
>
> >
>
> > 2. However, in order to use smartcard along with PAM and kerberos
>
> > authentication - i need to use the CAs given by our organization for the
>
> > smart card, for which we do not have the CA key.
>
>
>
> Your organization's CA can sign a certificate request created by the
>
> key on the card or by the KDC. The signed request then becomes the certificate.
>
> signed by the CA. You as the Kerberos admin don't need the CA's key.
I had asked the above question, assuming if we have to use the SMART card CA to create the KDC certificate, for which i would have to send the KDC certificate request to the organization's CA. However I would like to keep a separate CA for the KDC, and since we can use different CA's - that solves the above issue.
>
>
>
> >
>
> > My question is : If we have to use the same CA for KDC, Client and
>
> > Smartcard certificates? or if we could mention 2 different CA's to KDC for
>
> > KDC,Client certificates and Smartcard certicate?
>
>
>
> You can use different CAs. The client will need a copy of the CA certificate
>
> that signed the KDC's certificate. The KDC needs a copy of the CA certificate
>
> used to sign the smart card certificate. (simplest case.)
>
I do have the CA used to create the KDC, and also the CA used for the certificate on the SMART/PIV card. I have also configured KDC to use both CA's under a directory. However, KDC still gives me the error : " Decrypt Integrity check failed".
>
> >
>
> > In that way, It would be helpful - If KDC could use a self-generated CA
>
> > certificate for the KDC and Client certificate, while it will use the
>
> > Smartcard CA certificate for user login authentication with smart card.
>
> >
>
> > Also, may i know how we kinit using smartcard - in order to debug if the
>
> > issue is with PAM login attempt or kerberos authentication.
>
> >
>
> > I would be happy to hear from you.
>
>
>
> FYI, Windows AD 2003 and above can be used as a KDC and it can do PKINIT.
>
> Windows 7 and above come come with all the software needed if you are
>
> using certain types of smart cards (HSPD-12 PIV) cards for example.
>
>
>
> Linux and Macs with Kerberos and PKINIT can use AD as the KDC.
>
>
>
> We use some smart cards with certificates signed by our windows
>
> enterprise CA, as well as government issued cards to login to Windows
>
> or Unix.
>
>
>
> What cards are you using?
>
> What code to manager the cards?
>
> What code to the cards?
>
> What card readers?
>
>
>
>
>
> >
>
> > Thank you
>
> >
>
> > Lohit
>
> > ________________________________________________
>
> > Kerberos mailing list Kerberos at mit.edu
>
> > https://mailman.mit.edu/mailman/listinfo/kerberos
>
> >
>
>
>
> --
>
>
>
> Douglas E. Engert <DEEngert at anl.gov>
>
> Argonne National Laboratory
>
> 9700 South Cass Avenue
>
> Argonne, Illinois 60439
>
> (630) 252-5444
On Tuesday, February 26, 2013 5:45:24 PM UTC-5, Douglas E. Engert wrote:
> On 2/26/2013 3:39 PM, Lohit Valleru wrote:
>
> > Dear Community,
>
> >
>
> > I assume, i have mailed to the right community list for these kind of
>
> > questions. If i have mailed to the wrong location - may i please ask for
>
> > the respective mailing address.
>
> >
>
> > I am a system administrator for a high performance cluster, and I am
>
> > thinking of setting up a smartcard authentication with kerberos.
>
> >
>
> > I have already completed kerberos authentication implementation for users
>
> > of the cluster,through kinit and gssapi.
>
> >
>
> > These are the steps that i have followed to setup pkinit with smartcard.
>
> >
>
> > 1. I have created a CA to issue the CA certificates, CAkey and use those to
>
> > create the KDC certificates and Client certificaties as mentioned in the
>
> > below link .
>
> >
>
> > http://web.mit.edu/kerberos/krb5-current/doc/admin/pkinit.html
>
> >
>
> > 2. However, in order to use smartcard along with PAM and kerberos
>
> > authentication - i need to use the CAs given by our organization for the
>
> > smart card, for which we do not have the CA key.
>
>
>
> Your organization's CA can sign a certificate request created by the
>
> key on the card or by the KDC. The signed request then becomes the certificate.
>
> signed by the CA. You as the Kerberos admin don't need the CA's key.
>
>
>
> >
>
> > My question is : If we have to use the same CA for KDC, Client and
>
> > Smartcard certificates? or if we could mention 2 different CA's to KDC for
>
> > KDC,Client certificates and Smartcard certicate?
>
>
>
> You can use different CAs. The client will need a copy of the CA certificate
>
> that signed the KDC's certificate. The KDC needs a copy of the CA certificate
>
> used to sign the smart card certificate. (simplest case.)
>
>
>
> >
>
> > In that way, It would be helpful - If KDC could use a self-generated CA
>
> > certificate for the KDC and Client certificate, while it will use the
>
> > Smartcard CA certificate for user login authentication with smart card.
>
> >
>
> > Also, may i know how we kinit using smartcard - in order to debug if the
>
> > issue is with PAM login attempt or kerberos authentication.
>
> >
>
> > I would be happy to hear from you.
>
>
>
> FYI, Windows AD 2003 and above can be used as a KDC and it can do PKINIT.
>
> Windows 7 and above come come with all the software needed if you are
>
> using certain types of smart cards (HSPD-12 PIV) cards for example.
>
>
>
> Linux and Macs with Kerberos and PKINIT can use AD as the KDC.
>
>
>
> We use some smart cards with certificates signed by our windows
>
> enterprise CA, as well as government issued cards to login to Windows
>
> or Unix.
>
>
>
> What cards are you using?
>
> What code to manager the cards?
>
> What code to the cards?
>
> What card readers?
>
>
>
>
>
> >
>
> > Thank you
>
> >
>
> > Lohit
>
> > ________________________________________________
>
> > Kerberos mailing list Kerberos at mit.edu
>
> > https://mailman.mit.edu/mailman/listinfo/kerberos
>
> >
>
>
>
> --
>
>
>
> Douglas E. Engert <DEEngert at anl.gov>
>
> Argonne National Laboratory
>
> 9700 South Cass Avenue
>
> Argonne, Illinois 60439
>
> (630) 252-5444
On Tuesday, February 26, 2013 5:45:24 PM UTC-5, Douglas E. Engert wrote:
> On 2/26/2013 3:39 PM, Lohit Valleru wrote:
>
> > Dear Community,
>
> >
>
> > I assume, i have mailed to the right community list for these kind of
>
> > questions. If i have mailed to the wrong location - may i please ask for
>
> > the respective mailing address.
>
> >
>
> > I am a system administrator for a high performance cluster, and I am
>
> > thinking of setting up a smartcard authentication with kerberos.
>
> >
>
> > I have already completed kerberos authentication implementation for users
>
> > of the cluster,through kinit and gssapi.
>
> >
>
> > These are the steps that i have followed to setup pkinit with smartcard.
>
> >
>
> > 1. I have created a CA to issue the CA certificates, CAkey and use those to
>
> > create the KDC certificates and Client certificaties as mentioned in the
>
> > below link .
>
> >
>
> > http://web.mit.edu/kerberos/krb5-current/doc/admin/pkinit.html
>
> >
>
> > 2. However, in order to use smartcard along with PAM and kerberos
>
> > authentication - i need to use the CAs given by our organization for the
>
> > smart card, for which we do not have the CA key.
>
>
>
> Your organization's CA can sign a certificate request created by the
>
> key on the card or by the KDC. The signed request then becomes the certificate.
>
> signed by the CA. You as the Kerberos admin don't need the CA's key.
>
>
>
> >
>
> > My question is : If we have to use the same CA for KDC, Client and
>
> > Smartcard certificates? or if we could mention 2 different CA's to KDC for
>
> > KDC,Client certificates and Smartcard certicate?
>
>
>
> You can use different CAs. The client will need a copy of the CA certificate
>
> that signed the KDC's certificate. The KDC needs a copy of the CA certificate
>
> used to sign the smart card certificate. (simplest case.)
>
>
>
> >
>
> > In that way, It would be helpful - If KDC could use a self-generated CA
>
> > certificate for the KDC and Client certificate, while it will use the
>
> > Smartcard CA certificate for user login authentication with smart card.
>
> >
>
> > Also, may i know how we kinit using smartcard - in order to debug if the
>
> > issue is with PAM login attempt or kerberos authentication.
>
> >
>
> > I would be happy to hear from you.
>
>
>
> FYI, Windows AD 2003 and above can be used as a KDC and it can do PKINIT.
>
> Windows 7 and above come come with all the software needed if you are
>
> using certain types of smart cards (HSPD-12 PIV) cards for example.
>
>
>
> Linux and Macs with Kerberos and PKINIT can use AD as the KDC.
>
>
>
> We use some smart cards with certificates signed by our windows
>
> enterprise CA, as well as government issued cards to login to Windows
>
> or Unix.
>
>
>
> What cards are you using?
>
> What code to manager the cards?
>
> What code to the cards?
>
> What card readers?
>
>
>
>
>
> >
>
> > Thank you
>
> >
>
> > Lohit
>
> > ________________________________________________
>
> > Kerberos mailing list Kerberos at mit.edu
>
> > https://mailman.mit.edu/mailman/listinfo/kerberos
>
> >
>
>
>
> --
>
>
>
> Douglas E. Engert <DEEngert at anl.gov>
>
> Argonne National Laboratory
>
> 9700 South Cass Avenue
>
> Argonne, Illinois 60439
>
> (630) 252-5444
On Tuesday, February 26, 2013 5:45:24 PM UTC-5, Douglas E. Engert wrote:
> On 2/26/2013 3:39 PM, Lohit Valleru wrote:
>
> > Dear Community,
>
> >
>
> > I assume, i have mailed to the right community list for these kind of
>
> > questions. If i have mailed to the wrong location - may i please ask for
>
> > the respective mailing address.
>
> >
>
> > I am a system administrator for a high performance cluster, and I am
>
> > thinking of setting up a smartcard authentication with kerberos.
>
> >
>
> > I have already completed kerberos authentication implementation for users
>
> > of the cluster,through kinit and gssapi.
>
> >
>
> > These are the steps that i have followed to setup pkinit with smartcard.
>
> >
>
> > 1. I have created a CA to issue the CA certificates, CAkey and use those to
>
> > create the KDC certificates and Client certificaties as mentioned in the
>
> > below link .
>
> >
>
> > http://web.mit.edu/kerberos/krb5-current/doc/admin/pkinit.html
>
> >
>
> > 2. However, in order to use smartcard along with PAM and kerberos
>
> > authentication - i need to use the CAs given by our organization for the
>
> > smart card, for which we do not have the CA key.
>
>
>
> Your organization's CA can sign a certificate request created by the
>
> key on the card or by the KDC. The signed request then becomes the certificate.
>
> signed by the CA. You as the Kerberos admin don't need the CA's key.
>
>
>
> >
>
> > My question is : If we have to use the same CA for KDC, Client and
>
> > Smartcard certificates? or if we could mention 2 different CA's to KDC for
>
> > KDC,Client certificates and Smartcard certicate?
>
>
>
> You can use different CAs. The client will need a copy of the CA certificate
>
> that signed the KDC's certificate. The KDC needs a copy of the CA certificate
>
> used to sign the smart card certificate. (simplest case.)
>
>
>
> >
>
> > In that way, It would be helpful - If KDC could use a self-generated CA
>
> > certificate for the KDC and Client certificate, while it will use the
>
> > Smartcard CA certificate for user login authentication with smart card.
>
> >
>
> > Also, may i know how we kinit using smartcard - in order to debug if the
>
> > issue is with PAM login attempt or kerberos authentication.
>
> >
>
> > I would be happy to hear from you.
>
>
>
> FYI, Windows AD 2003 and above can be used as a KDC and it can do PKINIT.
>
> Windows 7 and above come come with all the software needed if you are
>
> using certain types of smart cards (HSPD-12 PIV) cards for example.
>
>
>
> Linux and Macs with Kerberos and PKINIT can use AD as the KDC.
>
>
>
> We use some smart cards with certificates signed by our windows
>
> enterprise CA, as well as government issued cards to login to Windows
>
> or Unix.
>
>
>
> What cards are you using?
>
> What code to manager the cards?
>
> What code to the cards?
>
> What card readers?
>
>
>
>
>
> >
>
> > Thank you
>
> >
>
> > Lohit
>
> > ________________________________________________
>
> > Kerberos mailing list Kerberos at mit.edu
>
> > https://mailman.mit.edu/mailman/listinfo/kerberos
>
> >
>
>
>
> --
>
>
>
> Douglas E. Engert <DEEngert at anl.gov>
>
> Argonne National Laboratory
>
> 9700 South Cass Avenue
>
> Argonne, Illinois 60439
>
> (630) 252-5444
On Tuesday, February 26, 2013 5:45:24 PM UTC-5, Douglas E. Engert wrote:
> On 2/26/2013 3:39 PM, Lohit Valleru wrote:
>
> > Dear Community,
>
> >
>
> > I assume, i have mailed to the right community list for these kind of
>
> > questions. If i have mailed to the wrong location - may i please ask for
>
> > the respective mailing address.
>
> >
>
> > I am a system administrator for a high performance cluster, and I am
>
> > thinking of setting up a smartcard authentication with kerberos.
>
> >
>
> > I have already completed kerberos authentication implementation for users
>
> > of the cluster,through kinit and gssapi.
>
> >
>
> > These are the steps that i have followed to setup pkinit with smartcard.
>
> >
>
> > 1. I have created a CA to issue the CA certificates, CAkey and use those to
>
> > create the KDC certificates and Client certificaties as mentioned in the
>
> > below link .
>
> >
>
> > http://web.mit.edu/kerberos/krb5-current/doc/admin/pkinit.html
>
> >
>
> > 2. However, in order to use smartcard along with PAM and kerberos
>
> > authentication - i need to use the CAs given by our organization for the
>
> > smart card, for which we do not have the CA key.
>
>
>
> Your organization's CA can sign a certificate request created by the
>
> key on the card or by the KDC. The signed request then becomes the certificate.
>
> signed by the CA. You as the Kerberos admin don't need the CA's key.
>
>
>
> >
>
> > My question is : If we have to use the same CA for KDC, Client and
>
> > Smartcard certificates? or if we could mention 2 different CA's to KDC for
>
> > KDC,Client certificates and Smartcard certicate?
>
>
>
> You can use different CAs. The client will need a copy of the CA certificate
>
> that signed the KDC's certificate. The KDC needs a copy of the CA certificate
>
> used to sign the smart card certificate. (simplest case.)
>
>
>
> >
>
> > In that way, It would be helpful - If KDC could use a self-generated CA
>
> > certificate for the KDC and Client certificate, while it will use the
>
> > Smartcard CA certificate for user login authentication with smart card.
>
> >
>
> > Also, may i know how we kinit using smartcard - in order to debug if the
>
> > issue is with PAM login attempt or kerberos authentication.
>
> >
>
> > I would be happy to hear from you.
>
>
>
> FYI, Windows AD 2003 and above can be used as a KDC and it can do PKINIT.
>
> Windows 7 and above come come with all the software needed if you are
>
> using certain types of smart cards (HSPD-12 PIV) cards for example.
>
>
>
> Linux and Macs with Kerberos and PKINIT can use AD as the KDC.
>
>
>
> We use some smart cards with certificates signed by our windows
>
> enterprise CA, as well as government issued cards to login to Windows
>
> or Unix.
>
>
>
> What cards are you using?
>
> What code to manager the cards?
>
> What code to the cards?
>
> What card readers?
>
>
>
>
>
> >
>
> > Thank you
>
> >
>
> > Lohit
>
> > ________________________________________________
>
> > Kerberos mailing list Kerberos at mit.edu
>
> > https://mailman.mit.edu/mailman/listinfo/kerberos
>
> >
>
>
>
> --
>
>
>
> Douglas E. Engert <DEEngert at anl.gov>
>
> Argonne National Laboratory
>
> 9700 South Cass Avenue
>
> Argonne, Illinois 60439
>
> (630) 252-5444
More information about the Kerberos
mailing list