Reg: pkinit with smartcard on kerberos V5

lohitv9@gmail.com lohitv9 at gmail.com
Sat Mar 9 12:54:49 EST 2013


Also - I use activclient smartcard readers and they are acceptable for linux systems without any issue.


On Saturday, March 9, 2013 12:48:23 PM UTC-5, loh... at gmail.com wrote:
> Hello Douglas, 
> 
> 
> 
> Thank you for your reply. It gives me a hope to solve the ongoing issue.
> 
> 
> 
> Please let me give an explanation of the environment that i am trying to use smart cards.
> 
> 
> 
> I would like to use both Linux(centos) and Windows as client machines
> 
> 
> 
> However, only Linux( centos) is used as our server operating systems. Centos is a Red hat linux variant.
> 
> 
> 
> I already have a full configured working setup of : OpenLDAP, GSSAPI, and Kerberos setup as the User authorization and authentication mechanism with windows and linux clients.
> 
> OpenLDAP repository is used as a principal database for Kerberos, so OpenLDAP(389-directory server) is used for authorization and Kerberos is used for authentication.
> 
> 
> 
> Users can login using password kerberos authentication with ssh and they will receive kerberos tickets with the current configuration.
> 
> 
> 
> However, i would like to get rid of passwords and use PIV card pkinit authentication with kerberos instead of using passwords.
> 
> 
> 
> I understand that AD and windows have a good implementation of pkinit but i do want to use AD for KDC or for directory service.
> 
> 
> 
> 
> 
> I have tried configuring KDC and clients with pkinit for client console login.
> 
> 
> 
> I would just want the users to get kerberos tickets when they login to Linux client console.
> 
> 
> 
> Initially - I have tried PAM authentication for smartcard and I was successful in using Smartcard CA for login using my smart card pin. So i can login using smartcard to all linux machines. However i also would want to get kerberos tickets once i login.
> 
> 
> 
> This is where PAM_krb5 and krb5.conf comes into the picture, and i have configured those too with respect to the pkinit configuration.
> 
> 
> 
> Now when i try to login ( after PAM is configured to use kerberos), i do get a prompt for entering my pin , but after i enter my pin - Kerberos still cannot authenticate me, with logs mentioning that :
> 
> 
> 
> " Decrypt integrity check failed "
> 
> 
> 
> I have searched the forums, and i understand that the above log message means that, KDC is not able to decrypt either because the password is wrong or it doesnt support the encryption used.
> 
> 
> 
> I am confused that, if PAM authentication can decrypt and allow me to login using the SMART card CA . Why is that KDC is not able to decrypt.
> 
> 
> 
> I could be that i did not configure the krb5.conf accurately.
> 
> 
> 
> If i can use kinit to initiate pkinit with smart card, i would then able to debug if this issue is related to kerberos only or pam and kerberos.
> 
> 
> 
> Please do help me with the respective kerberos configuration for smartcard.
> 
> 
> 
> MY smartcard info is as below :
> 
> 
> 
> Model : ID-One Cosmo 64 v5.2D Fast ATR with PIV application SDK
> 
> 
> 
> I do not know the code used inside the smartcard.
> 
> 
> 
> its uses signature algorithm: sha256rsa
> 
> 
> 
> 
> 
> Also please do find my comments as below .
> 
> 
> 
> Thank you for your help, and I would be happy to hear from you.
> 
> 
> 
> Regards,
> 
> 
> 
> Lohit
> 
> 
> 
> 
> 
> 
> 
> On Tuesday, February 26, 2013 5:45:24 PM UTC-5, Douglas E. Engert wrote:
> 
> > On 2/26/2013 3:39 PM, Lohit Valleru wrote:
> 
> > 
> 
> > > Dear Community,
> 
> > 
> 
> > >
> 
> > 
> 
> > > I assume, i have mailed to the right community list for these kind of
> 
> > 
> 
> > > questions. If i have mailed to the wrong location - may i please ask for
> 
> > 
> 
> > > the respective mailing address.
> 
> > 
> 
> > >
> 
> > 
> 
> > > I am a system administrator for a high performance cluster, and I am
> 
> > 
> 
> > > thinking of setting up a smartcard authentication with kerberos.
> 
> > 
> 
> > >
> 
> > 
> 
> > > I have already completed kerberos authentication implementation for users
> 
> > 
> 
> > > of the cluster,through kinit and gssapi.
> 
> > 
> 
> > >
> 
> > 
> 
> > > These are the steps that i have followed to setup pkinit with smartcard.
> 
> > 
> 
> > >
> 
> > 
> 
> > > 1. I have created a CA to issue the CA certificates, CAkey and use those to
> 
> > 
> 
> > > create the KDC certificates and Client certificaties as mentioned in the
> 
> > 
> 
> > > below link .
> 
> > 
> 
> > >
> 
> > 
> 
> > > http://web.mit.edu/kerberos/krb5-current/doc/admin/pkinit.html
> 
> > 
> 
> > >
> 
> > 
> 
> > > 2. However, in order to use smartcard along with PAM and kerberos
> 
> > 
> 
> > > authentication - i need to use the CAs given by our organization for the
> 
> > 
> 
> > > smart card, for which we do not have the CA key.
> 
> > 
> 
> > 
> 
> > 
> 
> > Your organization's CA can sign a certificate request created by the
> 
> > 
> 
> > key on the card or by the KDC. The signed request then becomes the certificate.
> 
> > 
> 
> > signed by the CA. You as the Kerberos admin don't need the CA's key.
> 
> 
> 
> 
> 
> I had asked the above question, assuming if we have to use the SMART card CA to create the KDC certificate, for which i would have to send the KDC certificate request to the organization's CA. However I would like to keep a separate CA for the KDC, and since we can use different CA's - that solves the above issue.  
> 
> 
> 
> 
> 
> > 
> 
> > 
> 
> > 
> 
> > >
> 
> > 
> 
> > > My question is : If we have to use the same CA for KDC, Client and
> 
> > 
> 
> > > Smartcard certificates? or if we could mention 2 different CA's to KDC for
> 
> > 
> 
> > > KDC,Client certificates and Smartcard certicate?
> 
> > 
> 
> > 
> 
> > 
> 
> > You can use different CAs. The client will need a copy of the CA certificate
> 
> > 
> 
> > that signed the KDC's certificate. The KDC needs a copy of the CA certificate
> 
> > 
> 
> > used to sign the smart card certificate. (simplest case.)
> 
> > 
> 
> 
> 
> I do have the CA used to create the KDC, and also the CA used for the certificate on the SMART/PIV card. I have also configured KDC to use both CA's under a directory. However, KDC still gives me the error : " Decrypt Integrity check failed".
> 
> 
> 
> 
> 
> 
> 
> > 
> 
> > >
> 
> > 
> 
> > > In that way, It would be helpful - If KDC could use a self-generated CA
> 
> > 
> 
> > > certificate for the KDC and Client certificate, while it will use the
> 
> > 
> 
> > > Smartcard CA certificate for user login authentication with smart card.
> 
> > 
> 
> > >
> 
> > 
> 
> > > Also, may i know how we kinit using smartcard - in order to debug if the
> 
> > 
> 
> > > issue is with PAM login attempt or kerberos authentication.
> 
> > 
> 
> > >
> 
> > 
> 
> > > I would be happy to hear from you.
> 
> > 
> 
> > 
> 
> > 
> 
> > FYI, Windows AD 2003 and above can be used as a KDC and it can do PKINIT.
> 
> > 
> 
> > Windows 7 and above come come with all the software needed if you are
> 
> > 
> 
> > using certain types of smart cards (HSPD-12 PIV) cards for example.
> 
> > 
> 
> > 
> 
> > 
> 
> > Linux and Macs with Kerberos and PKINIT can use AD as the KDC.
> 
> > 
> 
> > 
> 
> > 
> 
> > We use some smart cards with certificates signed by our windows
> 
> > 
> 
> > enterprise CA, as well as government issued cards to login to Windows
> 
> > 
> 
> > or Unix.
> 
> > 
> 
> > 
> 
> > 
> 
> > What cards are you using?
> 
> > 
> 
> > What code to manager the cards?
> 
> > 
> 
> > What code to the cards?
> 
> > 
> 
> > What card readers?
> 
> > 
> 
> > 
> 
> > 
> 
> > 
> 
> > 
> 
> > >
> 
> > 
> 
> > > Thank you
> 
> > 
> 
> > >
> 
> > 
> 
> > > Lohit
> 
> > 
> 
> > > ________________________________________________
> 
> > 
> 
> > > Kerberos mailing list           Kerberos at mit.edu
> 
> > 
> 
> > > https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> > 
> 
> > >
> 
> > 
> 
> > 
> 
> > 
> 
> > -- 
> 
> > 
> 
> > 
> 
> > 
> 
> >   Douglas E. Engert  
> 
> > 
> 
> >   Argonne National Laboratory
> 
> > 
> 
> >   9700 South Cass Avenue
> 
> > 
> 
> >   Argonne, Illinois  60439
> 
> > 
> 
> >   (630) 252-5444
> 
> 
> 
> 
> 
> 
> 
> On Tuesday, February 26, 2013 5:45:24 PM UTC-5, Douglas E. Engert wrote:
> 
> > On 2/26/2013 3:39 PM, Lohit Valleru wrote:
> 
> > 
> 
> > > Dear Community,
> 
> > 
> 
> > >
> 
> > 
> 
> > > I assume, i have mailed to the right community list for these kind of
> 
> > 
> 
> > > questions. If i have mailed to the wrong location - may i please ask for
> 
> > 
> 
> > > the respective mailing address.
> 
> > 
> 
> > >
> 
> > 
> 
> > > I am a system administrator for a high performance cluster, and I am
> 
> > 
> 
> > > thinking of setting up a smartcard authentication with kerberos.
> 
> > 
> 
> > >
> 
> > 
> 
> > > I have already completed kerberos authentication implementation for users
> 
> > 
> 
> > > of the cluster,through kinit and gssapi.
> 
> > 
> 
> > >
> 
> > 
> 
> > > These are the steps that i have followed to setup pkinit with smartcard.
> 
> > 
> 
> > >
> 
> > 
> 
> > > 1. I have created a CA to issue the CA certificates, CAkey and use those to
> 
> > 
> 
> > > create the KDC certificates and Client certificaties as mentioned in the
> 
> > 
> 
> > > below link .
> 
> > 
> 
> > >
> 
> > 
> 
> > > http://web.mit.edu/kerberos/krb5-current/doc/admin/pkinit.html
> 
> > 
> 
> > >
> 
> > 
> 
> > > 2. However, in order to use smartcard along with PAM and kerberos
> 
> > 
> 
> > > authentication - i need to use the CAs given by our organization for the
> 
> > 
> 
> > > smart card, for which we do not have the CA key.
> 
> > 
> 
> > 
> 
> > 
> 
> > Your organization's CA can sign a certificate request created by the
> 
> > 
> 
> > key on the card or by the KDC. The signed request then becomes the certificate.
> 
> > 
> 
> > signed by the CA. You as the Kerberos admin don't need the CA's key.
> 
> > 
> 
> > 
> 
> > 
> 
> > >
> 
> > 
> 
> > > My question is : If we have to use the same CA for KDC, Client and
> 
> > 
> 
> > > Smartcard certificates? or if we could mention 2 different CA's to KDC for
> 
> > 
> 
> > > KDC,Client certificates and Smartcard certicate?
> 
> > 
> 
> > 
> 
> > 
> 
> > You can use different CAs. The client will need a copy of the CA certificate
> 
> > 
> 
> > that signed the KDC's certificate. The KDC needs a copy of the CA certificate
> 
> > 
> 
> > used to sign the smart card certificate. (simplest case.)
> 
> > 
> 
> > 
> 
> > 
> 
> > >
> 
> > 
> 
> > > In that way, It would be helpful - If KDC could use a self-generated CA
> 
> > 
> 
> > > certificate for the KDC and Client certificate, while it will use the
> 
> > 
> 
> > > Smartcard CA certificate for user login authentication with smart card.
> 
> > 
> 
> > >
> 
> > 
> 
> > > Also, may i know how we kinit using smartcard - in order to debug if the
> 
> > 
> 
> > > issue is with PAM login attempt or kerberos authentication.
> 
> > 
> 
> > >
> 
> > 
> 
> > > I would be happy to hear from you.
> 
> > 
> 
> > 
> 
> > 
> 
> > FYI, Windows AD 2003 and above can be used as a KDC and it can do PKINIT.
> 
> > 
> 
> > Windows 7 and above come come with all the software needed if you are
> 
> > 
> 
> > using certain types of smart cards (HSPD-12 PIV) cards for example.
> 
> > 
> 
> > 
> 
> > 
> 
> > Linux and Macs with Kerberos and PKINIT can use AD as the KDC.
> 
> > 
> 
> > 
> 
> > 
> 
> > We use some smart cards with certificates signed by our windows
> 
> > 
> 
> > enterprise CA, as well as government issued cards to login to Windows
> 
> > 
> 
> > or Unix.
> 
> > 
> 
> > 
> 
> > 
> 
> > What cards are you using?
> 
> > 
> 
> > What code to manager the cards?
> 
> > 
> 
> > What code to the cards?
> 
> > 
> 
> > What card readers?
> 
> > 
> 
> > 
> 
> > 
> 
> > 
> 
> > 
> 
> > >
> 
> > 
> 
> > > Thank you
> 
> > 
> 
> > >
> 
> > 
> 
> > > Lohit
> 
> > 
> 
> > > ________________________________________________
> 
> > 
> 
> > > Kerberos mailing list           Kerberos at mit.edu
> 
> > 
> 
> > > https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> > 
> 
> > >
> 
> > 
> 
> > 
> 
> > 
> 
> > -- 
> 
> > 
> 
> > 
> 
> > 
> 
> >   Douglas E. Engert  
> 
> > 
> 
> >   Argonne National Laboratory
> 
> > 
> 
> >   9700 South Cass Avenue
> 
> > 
> 
> >   Argonne, Illinois  60439
> 
> > 
> 
> >   (630) 252-5444
> 
> 
> 
> 
> 
> 
> 
> On Tuesday, February 26, 2013 5:45:24 PM UTC-5, Douglas E. Engert wrote:
> 
> > On 2/26/2013 3:39 PM, Lohit Valleru wrote:
> 
> > 
> 
> > > Dear Community,
> 
> > 
> 
> > >
> 
> > 
> 
> > > I assume, i have mailed to the right community list for these kind of
> 
> > 
> 
> > > questions. If i have mailed to the wrong location - may i please ask for
> 
> > 
> 
> > > the respective mailing address.
> 
> > 
> 
> > >
> 
> > 
> 
> > > I am a system administrator for a high performance cluster, and I am
> 
> > 
> 
> > > thinking of setting up a smartcard authentication with kerberos.
> 
> > 
> 
> > >
> 
> > 
> 
> > > I have already completed kerberos authentication implementation for users
> 
> > 
> 
> > > of the cluster,through kinit and gssapi.
> 
> > 
> 
> > >
> 
> > 
> 
> > > These are the steps that i have followed to setup pkinit with smartcard.
> 
> > 
> 
> > >
> 
> > 
> 
> > > 1. I have created a CA to issue the CA certificates, CAkey and use those to
> 
> > 
> 
> > > create the KDC certificates and Client certificaties as mentioned in the
> 
> > 
> 
> > > below link .
> 
> > 
> 
> > >
> 
> > 
> 
> > > http://web.mit.edu/kerberos/krb5-current/doc/admin/pkinit.html
> 
> > 
> 
> > >
> 
> > 
> 
> > > 2. However, in order to use smartcard along with PAM and kerberos
> 
> > 
> 
> > > authentication - i need to use the CAs given by our organization for the
> 
> > 
> 
> > > smart card, for which we do not have the CA key.
> 
> > 
> 
> > 
> 
> > 
> 
> > Your organization's CA can sign a certificate request created by the
> 
> > 
> 
> > key on the card or by the KDC. The signed request then becomes the certificate.
> 
> > 
> 
> > signed by the CA. You as the Kerberos admin don't need the CA's key.
> 
> > 
> 
> > 
> 
> > 
> 
> > >
> 
> > 
> 
> > > My question is : If we have to use the same CA for KDC, Client and
> 
> > 
> 
> > > Smartcard certificates? or if we could mention 2 different CA's to KDC for
> 
> > 
> 
> > > KDC,Client certificates and Smartcard certicate?
> 
> > 
> 
> > 
> 
> > 
> 
> > You can use different CAs. The client will need a copy of the CA certificate
> 
> > 
> 
> > that signed the KDC's certificate. The KDC needs a copy of the CA certificate
> 
> > 
> 
> > used to sign the smart card certificate. (simplest case.)
> 
> > 
> 
> > 
> 
> > 
> 
> > >
> 
> > 
> 
> > > In that way, It would be helpful - If KDC could use a self-generated CA
> 
> > 
> 
> > > certificate for the KDC and Client certificate, while it will use the
> 
> > 
> 
> > > Smartcard CA certificate for user login authentication with smart card.
> 
> > 
> 
> > >
> 
> > 
> 
> > > Also, may i know how we kinit using smartcard - in order to debug if the
> 
> > 
> 
> > > issue is with PAM login attempt or kerberos authentication.
> 
> > 
> 
> > >
> 
> > 
> 
> > > I would be happy to hear from you.
> 
> > 
> 
> > 
> 
> > 
> 
> > FYI, Windows AD 2003 and above can be used as a KDC and it can do PKINIT.
> 
> > 
> 
> > Windows 7 and above come come with all the software needed if you are
> 
> > 
> 
> > using certain types of smart cards (HSPD-12 PIV) cards for example.
> 
> > 
> 
> > 
> 
> > 
> 
> > Linux and Macs with Kerberos and PKINIT can use AD as the KDC.
> 
> > 
> 
> > 
> 
> > 
> 
> > We use some smart cards with certificates signed by our windows
> 
> > 
> 
> > enterprise CA, as well as government issued cards to login to Windows
> 
> > 
> 
> > or Unix.
> 
> > 
> 
> > 
> 
> > 
> 
> > What cards are you using?
> 
> > 
> 
> > What code to manager the cards?
> 
> > 
> 
> > What code to the cards?
> 
> > 
> 
> > What card readers?
> 
> > 
> 
> > 
> 
> > 
> 
> > 
> 
> > 
> 
> > >
> 
> > 
> 
> > > Thank you
> 
> > 
> 
> > >
> 
> > 
> 
> > > Lohit
> 
> > 
> 
> > > ________________________________________________
> 
> > 
> 
> > > Kerberos mailing list           Kerberos at mit.edu
> 
> > 
> 
> > > https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> > 
> 
> > >
> 
> > 
> 
> > 
> 
> > 
> 
> > -- 
> 
> > 
> 
> > 
> 
> > 
> 
> >   Douglas E. Engert  
> 
> > 
> 
> >   Argonne National Laboratory
> 
> > 
> 
> >   9700 South Cass Avenue
> 
> > 
> 
> >   Argonne, Illinois  60439
> 
> > 
> 
> >   (630) 252-5444
> 
> 
> 
> 
> 
> 
> 
> On Tuesday, February 26, 2013 5:45:24 PM UTC-5, Douglas E. Engert wrote:
> 
> > On 2/26/2013 3:39 PM, Lohit Valleru wrote:
> 
> > 
> 
> > > Dear Community,
> 
> > 
> 
> > >
> 
> > 
> 
> > > I assume, i have mailed to the right community list for these kind of
> 
> > 
> 
> > > questions. If i have mailed to the wrong location - may i please ask for
> 
> > 
> 
> > > the respective mailing address.
> 
> > 
> 
> > >
> 
> > 
> 
> > > I am a system administrator for a high performance cluster, and I am
> 
> > 
> 
> > > thinking of setting up a smartcard authentication with kerberos.
> 
> > 
> 
> > >
> 
> > 
> 
> > > I have already completed kerberos authentication implementation for users
> 
> > 
> 
> > > of the cluster,through kinit and gssapi.
> 
> > 
> 
> > >
> 
> > 
> 
> > > These are the steps that i have followed to setup pkinit with smartcard.
> 
> > 
> 
> > >
> 
> > 
> 
> > > 1. I have created a CA to issue the CA certificates, CAkey and use those to
> 
> > 
> 
> > > create the KDC certificates and Client certificaties as mentioned in the
> 
> > 
> 
> > > below link .
> 
> > 
> 
> > >
> 
> > 
> 
> > > http://web.mit.edu/kerberos/krb5-current/doc/admin/pkinit.html
> 
> > 
> 
> > >
> 
> > 
> 
> > > 2. However, in order to use smartcard along with PAM and kerberos
> 
> > 
> 
> > > authentication - i need to use the CAs given by our organization for the
> 
> > 
> 
> > > smart card, for which we do not have the CA key.
> 
> > 
> 
> > 
> 
> > 
> 
> > Your organization's CA can sign a certificate request created by the
> 
> > 
> 
> > key on the card or by the KDC. The signed request then becomes the certificate.
> 
> > 
> 
> > signed by the CA. You as the Kerberos admin don't need the CA's key.
> 
> > 
> 
> > 
> 
> > 
> 
> > >
> 
> > 
> 
> > > My question is : If we have to use the same CA for KDC, Client and
> 
> > 
> 
> > > Smartcard certificates? or if we could mention 2 different CA's to KDC for
> 
> > 
> 
> > > KDC,Client certificates and Smartcard certicate?
> 
> > 
> 
> > 
> 
> > 
> 
> > You can use different CAs. The client will need a copy of the CA certificate
> 
> > 
> 
> > that signed the KDC's certificate. The KDC needs a copy of the CA certificate
> 
> > 
> 
> > used to sign the smart card certificate. (simplest case.)
> 
> > 
> 
> > 
> 
> > 
> 
> > >
> 
> > 
> 
> > > In that way, It would be helpful - If KDC could use a self-generated CA
> 
> > 
> 
> > > certificate for the KDC and Client certificate, while it will use the
> 
> > 
> 
> > > Smartcard CA certificate for user login authentication with smart card.
> 
> > 
> 
> > >
> 
> > 
> 
> > > Also, may i know how we kinit using smartcard - in order to debug if the
> 
> > 
> 
> > > issue is with PAM login attempt or kerberos authentication.
> 
> > 
> 
> > >
> 
> > 
> 
> > > I would be happy to hear from you.
> 
> > 
> 
> > 
> 
> > 
> 
> > FYI, Windows AD 2003 and above can be used as a KDC and it can do PKINIT.
> 
> > 
> 
> > Windows 7 and above come come with all the software needed if you are
> 
> > 
> 
> > using certain types of smart cards (HSPD-12 PIV) cards for example.
> 
> > 
> 
> > 
> 
> > 
> 
> > Linux and Macs with Kerberos and PKINIT can use AD as the KDC.
> 
> > 
> 
> > 
> 
> > 
> 
> > We use some smart cards with certificates signed by our windows
> 
> > 
> 
> > enterprise CA, as well as government issued cards to login to Windows
> 
> > 
> 
> > or Unix.
> 
> > 
> 
> > 
> 
> > 
> 
> > What cards are you using?
> 
> > 
> 
> > What code to manager the cards?
> 
> > 
> 
> > What code to the cards?
> 
> > 
> 
> > What card readers?
> 
> > 
> 
> > 
> 
> > 
> 
> > 
> 
> > 
> 
> > >
> 
> > 
> 
> > > Thank you
> 
> > 
> 
> > >
> 
> > 
> 
> > > Lohit
> 
> > 
> 
> > > ________________________________________________
> 
> > 
> 
> > > Kerberos mailing list           Kerberos at mit.edu
> 
> > 
> 
> > > https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> > 
> 
> > >
> 
> > 
> 
> > 
> 
> > 
> 
> > -- 
> 
> > 
> 
> > 
> 
> > 
> 
> >   Douglas E. Engert  
> 
> > 
> 
> >   Argonne National Laboratory
> 
> > 
> 
> >   9700 South Cass Avenue
> 
> > 
> 
> >   Argonne, Illinois  60439
> 
> > 
> 
> >   (630) 252-5444
> 
> 
> 
> 
> 
> 
> 
> On Tuesday, February 26, 2013 5:45:24 PM UTC-5, Douglas E. Engert wrote:
> 
> > On 2/26/2013 3:39 PM, Lohit Valleru wrote:
> 
> > 
> 
> > > Dear Community,
> 
> > 
> 
> > >
> 
> > 
> 
> > > I assume, i have mailed to the right community list for these kind of
> 
> > 
> 
> > > questions. If i have mailed to the wrong location - may i please ask for
> 
> > 
> 
> > > the respective mailing address.
> 
> > 
> 
> > >
> 
> > 
> 
> > > I am a system administrator for a high performance cluster, and I am
> 
> > 
> 
> > > thinking of setting up a smartcard authentication with kerberos.
> 
> > 
> 
> > >
> 
> > 
> 
> > > I have already completed kerberos authentication implementation for users
> 
> > 
> 
> > > of the cluster,through kinit and gssapi.
> 
> > 
> 
> > >
> 
> > 
> 
> > > These are the steps that i have followed to setup pkinit with smartcard.
> 
> > 
> 
> > >
> 
> > 
> 
> > > 1. I have created a CA to issue the CA certificates, CAkey and use those to
> 
> > 
> 
> > > create the KDC certificates and Client certificaties as mentioned in the
> 
> > 
> 
> > > below link .
> 
> > 
> 
> > >
> 
> > 
> 
> > > http://web.mit.edu/kerberos/krb5-current/doc/admin/pkinit.html
> 
> > 
> 
> > >
> 
> > 
> 
> > > 2. However, in order to use smartcard along with PAM and kerberos
> 
> > 
> 
> > > authentication - i need to use the CAs given by our organization for the
> 
> > 
> 
> > > smart card, for which we do not have the CA key.
> 
> > 
> 
> > 
> 
> > 
> 
> > Your organization's CA can sign a certificate request created by the
> 
> > 
> 
> > key on the card or by the KDC. The signed request then becomes the certificate.
> 
> > 
> 
> > signed by the CA. You as the Kerberos admin don't need the CA's key.
> 
> > 
> 
> > 
> 
> > 
> 
> > >
> 
> > 
> 
> > > My question is : If we have to use the same CA for KDC, Client and
> 
> > 
> 
> > > Smartcard certificates? or if we could mention 2 different CA's to KDC for
> 
> > 
> 
> > > KDC,Client certificates and Smartcard certicate?
> 
> > 
> 
> > 
> 
> > 
> 
> > You can use different CAs. The client will need a copy of the CA certificate
> 
> > 
> 
> > that signed the KDC's certificate. The KDC needs a copy of the CA certificate
> 
> > 
> 
> > used to sign the smart card certificate. (simplest case.)
> 
> > 
> 
> > 
> 
> > 
> 
> > >
> 
> > 
> 
> > > In that way, It would be helpful - If KDC could use a self-generated CA
> 
> > 
> 
> > > certificate for the KDC and Client certificate, while it will use the
> 
> > 
> 
> > > Smartcard CA certificate for user login authentication with smart card.
> 
> > 
> 
> > >
> 
> > 
> 
> > > Also, may i know how we kinit using smartcard - in order to debug if the
> 
> > 
> 
> > > issue is with PAM login attempt or kerberos authentication.
> 
> > 
> 
> > >
> 
> > 
> 
> > > I would be happy to hear from you.
> 
> > 
> 
> > 
> 
> > 
> 
> > FYI, Windows AD 2003 and above can be used as a KDC and it can do PKINIT.
> 
> > 
> 
> > Windows 7 and above come come with all the software needed if you are
> 
> > 
> 
> > using certain types of smart cards (HSPD-12 PIV) cards for example.
> 
> > 
> 
> > 
> 
> > 
> 
> > Linux and Macs with Kerberos and PKINIT can use AD as the KDC.
> 
> > 
> 
> > 
> 
> > 
> 
> > We use some smart cards with certificates signed by our windows
> 
> > 
> 
> > enterprise CA, as well as government issued cards to login to Windows
> 
> > 
> 
> > or Unix.
> 
> > 
> 
> > 
> 
> > 
> 
> > What cards are you using?
> 
> > 
> 
> > What code to manager the cards?
> 
> > 
> 
> > What code to the cards?
> 
> > 
> 
> > What card readers?
> 
> > 
> 
> > 
> 
> > 
> 
> > 
> 
> > 
> 
> > >
> 
> > 
> 
> > > Thank you
> 
> > 
> 
> > >
> 
> > 
> 
> > > Lohit
> 
> > 
> 
> > > ________________________________________________
> 
> > 
> 
> > > Kerberos mailing list           Kerberos at mit.edu
> 
> > 
> 
> > > https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> > 
> 
> > >
> 
> > 
> 
> > 
> 
> > 
> 
> > -- 
> 
> > 
> 
> > 
> 
> > 
> 
> >   Douglas E. Engert  
> 
> > 
> 
> >   Argonne National Laboratory
> 
> > 
> 
> >   9700 South Cass Avenue
> 
> > 
> 
> >   Argonne, Illinois  60439
> 
> > 
> 
> >   (630) 252-5444



On Saturday, March 9, 2013 12:48:23 PM UTC-5, loh... at gmail.com wrote:
> Hello Douglas, 
> 
> 
> 
> Thank you for your reply. It gives me a hope to solve the ongoing issue.
> 
> 
> 
> Please let me give an explanation of the environment that i am trying to use smart cards.
> 
> 
> 
> I would like to use both Linux(centos) and Windows as client machines
> 
> 
> 
> However, only Linux( centos) is used as our server operating systems. Centos is a Red hat linux variant.
> 
> 
> 
> I already have a full configured working setup of : OpenLDAP, GSSAPI, and Kerberos setup as the User authorization and authentication mechanism with windows and linux clients.
> 
> OpenLDAP repository is used as a principal database for Kerberos, so OpenLDAP(389-directory server) is used for authorization and Kerberos is used for authentication.
> 
> 
> 
> Users can login using password kerberos authentication with ssh and they will receive kerberos tickets with the current configuration.
> 
> 
> 
> However, i would like to get rid of passwords and use PIV card pkinit authentication with kerberos instead of using passwords.
> 
> 
> 
> I understand that AD and windows have a good implementation of pkinit but i do want to use AD for KDC or for directory service.
> 
> 
> 
> 
> 
> I have tried configuring KDC and clients with pkinit for client console login.
> 
> 
> 
> I would just want the users to get kerberos tickets when they login to Linux client console.
> 
> 
> 
> Initially - I have tried PAM authentication for smartcard and I was successful in using Smartcard CA for login using my smart card pin. So i can login using smartcard to all linux machines. However i also would want to get kerberos tickets once i login.
> 
> 
> 
> This is where PAM_krb5 and krb5.conf comes into the picture, and i have configured those too with respect to the pkinit configuration.
> 
> 
> 
> Now when i try to login ( after PAM is configured to use kerberos), i do get a prompt for entering my pin , but after i enter my pin - Kerberos still cannot authenticate me, with logs mentioning that :
> 
> 
> 
> " Decrypt integrity check failed "
> 
> 
> 
> I have searched the forums, and i understand that the above log message means that, KDC is not able to decrypt either because the password is wrong or it doesnt support the encryption used.
> 
> 
> 
> I am confused that, if PAM authentication can decrypt and allow me to login using the SMART card CA . Why is that KDC is not able to decrypt.
> 
> 
> 
> I could be that i did not configure the krb5.conf accurately.
> 
> 
> 
> If i can use kinit to initiate pkinit with smart card, i would then able to debug if this issue is related to kerberos only or pam and kerberos.
> 
> 
> 
> Please do help me with the respective kerberos configuration for smartcard.
> 
> 
> 
> MY smartcard info is as below :
> 
> 
> 
> Model : ID-One Cosmo 64 v5.2D Fast ATR with PIV application SDK
> 
> 
> 
> I do not know the code used inside the smartcard.
> 
> 
> 
> its uses signature algorithm: sha256rsa
> 
> 
> 
> 
> 
> Also please do find my comments as below .
> 
> 
> 
> Thank you for your help, and I would be happy to hear from you.
> 
> 
> 
> Regards,
> 
> 
> 
> Lohit
> 
> 
> 
> 
> 
> 
> 
> On Tuesday, February 26, 2013 5:45:24 PM UTC-5, Douglas E. Engert wrote:
> 
> > On 2/26/2013 3:39 PM, Lohit Valleru wrote:
> 
> > 
> 
> > > Dear Community,
> 
> > 
> 
> > >
> 
> > 
> 
> > > I assume, i have mailed to the right community list for these kind of
> 
> > 
> 
> > > questions. If i have mailed to the wrong location - may i please ask for
> 
> > 
> 
> > > the respective mailing address.
> 
> > 
> 
> > >
> 
> > 
> 
> > > I am a system administrator for a high performance cluster, and I am
> 
> > 
> 
> > > thinking of setting up a smartcard authentication with kerberos.
> 
> > 
> 
> > >
> 
> > 
> 
> > > I have already completed kerberos authentication implementation for users
> 
> > 
> 
> > > of the cluster,through kinit and gssapi.
> 
> > 
> 
> > >
> 
> > 
> 
> > > These are the steps that i have followed to setup pkinit with smartcard.
> 
> > 
> 
> > >
> 
> > 
> 
> > > 1. I have created a CA to issue the CA certificates, CAkey and use those to
> 
> > 
> 
> > > create the KDC certificates and Client certificaties as mentioned in the
> 
> > 
> 
> > > below link .
> 
> > 
> 
> > >
> 
> > 
> 
> > > http://web.mit.edu/kerberos/krb5-current/doc/admin/pkinit.html
> 
> > 
> 
> > >
> 
> > 
> 
> > > 2. However, in order to use smartcard along with PAM and kerberos
> 
> > 
> 
> > > authentication - i need to use the CAs given by our organization for the
> 
> > 
> 
> > > smart card, for which we do not have the CA key.
> 
> > 
> 
> > 
> 
> > 
> 
> > Your organization's CA can sign a certificate request created by the
> 
> > 
> 
> > key on the card or by the KDC. The signed request then becomes the certificate.
> 
> > 
> 
> > signed by the CA. You as the Kerberos admin don't need the CA's key.
> 
> 
> 
> 
> 
> I had asked the above question, assuming if we have to use the SMART card CA to create the KDC certificate, for which i would have to send the KDC certificate request to the organization's CA. However I would like to keep a separate CA for the KDC, and since we can use different CA's - that solves the above issue.  
> 
> 
> 
> 
> 
> > 
> 
> > 
> 
> > 
> 
> > >
> 
> > 
> 
> > > My question is : If we have to use the same CA for KDC, Client and
> 
> > 
> 
> > > Smartcard certificates? or if we could mention 2 different CA's to KDC for
> 
> > 
> 
> > > KDC,Client certificates and Smartcard certicate?
> 
> > 
> 
> > 
> 
> > 
> 
> > You can use different CAs. The client will need a copy of the CA certificate
> 
> > 
> 
> > that signed the KDC's certificate. The KDC needs a copy of the CA certificate
> 
> > 
> 
> > used to sign the smart card certificate. (simplest case.)
> 
> > 
> 
> 
> 
> I do have the CA used to create the KDC, and also the CA used for the certificate on the SMART/PIV card. I have also configured KDC to use both CA's under a directory. However, KDC still gives me the error : " Decrypt Integrity check failed".
> 
> 
> 
> 
> 
> 
> 
> > 
> 
> > >
> 
> > 
> 
> > > In that way, It would be helpful - If KDC could use a self-generated CA
> 
> > 
> 
> > > certificate for the KDC and Client certificate, while it will use the
> 
> > 
> 
> > > Smartcard CA certificate for user login authentication with smart card.
> 
> > 
> 
> > >
> 
> > 
> 
> > > Also, may i know how we kinit using smartcard - in order to debug if the
> 
> > 
> 
> > > issue is with PAM login attempt or kerberos authentication.
> 
> > 
> 
> > >
> 
> > 
> 
> > > I would be happy to hear from you.
> 
> > 
> 
> > 
> 
> > 
> 
> > FYI, Windows AD 2003 and above can be used as a KDC and it can do PKINIT.
> 
> > 
> 
> > Windows 7 and above come come with all the software needed if you are
> 
> > 
> 
> > using certain types of smart cards (HSPD-12 PIV) cards for example.
> 
> > 
> 
> > 
> 
> > 
> 
> > Linux and Macs with Kerberos and PKINIT can use AD as the KDC.
> 
> > 
> 
> > 
> 
> > 
> 
> > We use some smart cards with certificates signed by our windows
> 
> > 
> 
> > enterprise CA, as well as government issued cards to login to Windows
> 
> > 
> 
> > or Unix.
> 
> > 
> 
> > 
> 
> > 
> 
> > What cards are you using?
> 
> > 
> 
> > What code to manager the cards?
> 
> > 
> 
> > What code to the cards?
> 
> > 
> 
> > What card readers?
> 
> > 
> 
> > 
> 
> > 
> 
> > 
> 
> > 
> 
> > >
> 
> > 
> 
> > > Thank you
> 
> > 
> 
> > >
> 
> > 
> 
> > > Lohit
> 
> > 
> 
> > > ________________________________________________
> 
> > 
> 
> > > Kerberos mailing list           Kerberos at mit.edu
> 
> > 
> 
> > > https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> > 
> 
> > >
> 
> > 
> 
> > 
> 
> > 
> 
> > -- 
> 
> > 
> 
> > 
> 
> > 
> 
> >   Douglas E. Engert  
> 
> > 
> 
> >   Argonne National Laboratory
> 
> > 
> 
> >   9700 South Cass Avenue
> 
> > 
> 
> >   Argonne, Illinois  60439
> 
> > 
> 
> >   (630) 252-5444
> 
> 
> 
> 
> 
> 
> 
> On Tuesday, February 26, 2013 5:45:24 PM UTC-5, Douglas E. Engert wrote:
> 
> > On 2/26/2013 3:39 PM, Lohit Valleru wrote:
> 
> > 
> 
> > > Dear Community,
> 
> > 
> 
> > >
> 
> > 
> 
> > > I assume, i have mailed to the right community list for these kind of
> 
> > 
> 
> > > questions. If i have mailed to the wrong location - may i please ask for
> 
> > 
> 
> > > the respective mailing address.
> 
> > 
> 
> > >
> 
> > 
> 
> > > I am a system administrator for a high performance cluster, and I am
> 
> > 
> 
> > > thinking of setting up a smartcard authentication with kerberos.
> 
> > 
> 
> > >
> 
> > 
> 
> > > I have already completed kerberos authentication implementation for users
> 
> > 
> 
> > > of the cluster,through kinit and gssapi.
> 
> > 
> 
> > >
> 
> > 
> 
> > > These are the steps that i have followed to setup pkinit with smartcard.
> 
> > 
> 
> > >
> 
> > 
> 
> > > 1. I have created a CA to issue the CA certificates, CAkey and use those to
> 
> > 
> 
> > > create the KDC certificates and Client certificaties as mentioned in the
> 
> > 
> 
> > > below link .
> 
> > 
> 
> > >
> 
> > 
> 
> > > http://web.mit.edu/kerberos/krb5-current/doc/admin/pkinit.html
> 
> > 
> 
> > >
> 
> > 
> 
> > > 2. However, in order to use smartcard along with PAM and kerberos
> 
> > 
> 
> > > authentication - i need to use the CAs given by our organization for the
> 
> > 
> 
> > > smart card, for which we do not have the CA key.
> 
> > 
> 
> > 
> 
> > 
> 
> > Your organization's CA can sign a certificate request created by the
> 
> > 
> 
> > key on the card or by the KDC. The signed request then becomes the certificate.
> 
> > 
> 
> > signed by the CA. You as the Kerberos admin don't need the CA's key.
> 
> > 
> 
> > 
> 
> > 
> 
> > >
> 
> > 
> 
> > > My question is : If we have to use the same CA for KDC, Client and
> 
> > 
> 
> > > Smartcard certificates? or if we could mention 2 different CA's to KDC for
> 
> > 
> 
> > > KDC,Client certificates and Smartcard certicate?
> 
> > 
> 
> > 
> 
> > 
> 
> > You can use different CAs. The client will need a copy of the CA certificate
> 
> > 
> 
> > that signed the KDC's certificate. The KDC needs a copy of the CA certificate
> 
> > 
> 
> > used to sign the smart card certificate. (simplest case.)
> 
> > 
> 
> > 
> 
> > 
> 
> > >
> 
> > 
> 
> > > In that way, It would be helpful - If KDC could use a self-generated CA
> 
> > 
> 
> > > certificate for the KDC and Client certificate, while it will use the
> 
> > 
> 
> > > Smartcard CA certificate for user login authentication with smart card.
> 
> > 
> 
> > >
> 
> > 
> 
> > > Also, may i know how we kinit using smartcard - in order to debug if the
> 
> > 
> 
> > > issue is with PAM login attempt or kerberos authentication.
> 
> > 
> 
> > >
> 
> > 
> 
> > > I would be happy to hear from you.
> 
> > 
> 
> > 
> 
> > 
> 
> > FYI, Windows AD 2003 and above can be used as a KDC and it can do PKINIT.
> 
> > 
> 
> > Windows 7 and above come come with all the software needed if you are
> 
> > 
> 
> > using certain types of smart cards (HSPD-12 PIV) cards for example.
> 
> > 
> 
> > 
> 
> > 
> 
> > Linux and Macs with Kerberos and PKINIT can use AD as the KDC.
> 
> > 
> 
> > 
> 
> > 
> 
> > We use some smart cards with certificates signed by our windows
> 
> > 
> 
> > enterprise CA, as well as government issued cards to login to Windows
> 
> > 
> 
> > or Unix.
> 
> > 
> 
> > 
> 
> > 
> 
> > What cards are you using?
> 
> > 
> 
> > What code to manager the cards?
> 
> > 
> 
> > What code to the cards?
> 
> > 
> 
> > What card readers?
> 
> > 
> 
> > 
> 
> > 
> 
> > 
> 
> > 
> 
> > >
> 
> > 
> 
> > > Thank you
> 
> > 
> 
> > >
> 
> > 
> 
> > > Lohit
> 
> > 
> 
> > > ________________________________________________
> 
> > 
> 
> > > Kerberos mailing list           Kerberos at mit.edu
> 
> > 
> 
> > > https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> > 
> 
> > >
> 
> > 
> 
> > 
> 
> > 
> 
> > -- 
> 
> > 
> 
> > 
> 
> > 
> 
> >   Douglas E. Engert  
> 
> > 
> 
> >   Argonne National Laboratory
> 
> > 
> 
> >   9700 South Cass Avenue
> 
> > 
> 
> >   Argonne, Illinois  60439
> 
> > 
> 
> >   (630) 252-5444
> 
> 
> 
> 
> 
> 
> 
> On Tuesday, February 26, 2013 5:45:24 PM UTC-5, Douglas E. Engert wrote:
> 
> > On 2/26/2013 3:39 PM, Lohit Valleru wrote:
> 
> > 
> 
> > > Dear Community,
> 
> > 
> 
> > >
> 
> > 
> 
> > > I assume, i have mailed to the right community list for these kind of
> 
> > 
> 
> > > questions. If i have mailed to the wrong location - may i please ask for
> 
> > 
> 
> > > the respective mailing address.
> 
> > 
> 
> > >
> 
> > 
> 
> > > I am a system administrator for a high performance cluster, and I am
> 
> > 
> 
> > > thinking of setting up a smartcard authentication with kerberos.
> 
> > 
> 
> > >
> 
> > 
> 
> > > I have already completed kerberos authentication implementation for users
> 
> > 
> 
> > > of the cluster,through kinit and gssapi.
> 
> > 
> 
> > >
> 
> > 
> 
> > > These are the steps that i have followed to setup pkinit with smartcard.
> 
> > 
> 
> > >
> 
> > 
> 
> > > 1. I have created a CA to issue the CA certificates, CAkey and use those to
> 
> > 
> 
> > > create the KDC certificates and Client certificaties as mentioned in the
> 
> > 
> 
> > > below link .
> 
> > 
> 
> > >
> 
> > 
> 
> > > http://web.mit.edu/kerberos/krb5-current/doc/admin/pkinit.html
> 
> > 
> 
> > >
> 
> > 
> 
> > > 2. However, in order to use smartcard along with PAM and kerberos
> 
> > 
> 
> > > authentication - i need to use the CAs given by our organization for the
> 
> > 
> 
> > > smart card, for which we do not have the CA key.
> 
> > 
> 
> > 
> 
> > 
> 
> > Your organization's CA can sign a certificate request created by the
> 
> > 
> 
> > key on the card or by the KDC. The signed request then becomes the certificate.
> 
> > 
> 
> > signed by the CA. You as the Kerberos admin don't need the CA's key.
> 
> > 
> 
> > 
> 
> > 
> 
> > >
> 
> > 
> 
> > > My question is : If we have to use the same CA for KDC, Client and
> 
> > 
> 
> > > Smartcard certificates? or if we could mention 2 different CA's to KDC for
> 
> > 
> 
> > > KDC,Client certificates and Smartcard certicate?
> 
> > 
> 
> > 
> 
> > 
> 
> > You can use different CAs. The client will need a copy of the CA certificate
> 
> > 
> 
> > that signed the KDC's certificate. The KDC needs a copy of the CA certificate
> 
> > 
> 
> > used to sign the smart card certificate. (simplest case.)
> 
> > 
> 
> > 
> 
> > 
> 
> > >
> 
> > 
> 
> > > In that way, It would be helpful - If KDC could use a self-generated CA
> 
> > 
> 
> > > certificate for the KDC and Client certificate, while it will use the
> 
> > 
> 
> > > Smartcard CA certificate for user login authentication with smart card.
> 
> > 
> 
> > >
> 
> > 
> 
> > > Also, may i know how we kinit using smartcard - in order to debug if the
> 
> > 
> 
> > > issue is with PAM login attempt or kerberos authentication.
> 
> > 
> 
> > >
> 
> > 
> 
> > > I would be happy to hear from you.
> 
> > 
> 
> > 
> 
> > 
> 
> > FYI, Windows AD 2003 and above can be used as a KDC and it can do PKINIT.
> 
> > 
> 
> > Windows 7 and above come come with all the software needed if you are
> 
> > 
> 
> > using certain types of smart cards (HSPD-12 PIV) cards for example.
> 
> > 
> 
> > 
> 
> > 
> 
> > Linux and Macs with Kerberos and PKINIT can use AD as the KDC.
> 
> > 
> 
> > 
> 
> > 
> 
> > We use some smart cards with certificates signed by our windows
> 
> > 
> 
> > enterprise CA, as well as government issued cards to login to Windows
> 
> > 
> 
> > or Unix.
> 
> > 
> 
> > 
> 
> > 
> 
> > What cards are you using?
> 
> > 
> 
> > What code to manager the cards?
> 
> > 
> 
> > What code to the cards?
> 
> > 
> 
> > What card readers?
> 
> > 
> 
> > 
> 
> > 
> 
> > 
> 
> > 
> 
> > >
> 
> > 
> 
> > > Thank you
> 
> > 
> 
> > >
> 
> > 
> 
> > > Lohit
> 
> > 
> 
> > > ________________________________________________
> 
> > 
> 
> > > Kerberos mailing list           Kerberos at mit.edu
> 
> > 
> 
> > > https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> > 
> 
> > >
> 
> > 
> 
> > 
> 
> > 
> 
> > -- 
> 
> > 
> 
> > 
> 
> > 
> 
> >   Douglas E. Engert  
> 
> > 
> 
> >   Argonne National Laboratory
> 
> > 
> 
> >   9700 South Cass Avenue
> 
> > 
> 
> >   Argonne, Illinois  60439
> 
> > 
> 
> >   (630) 252-5444
> 
> 
> 
> 
> 
> 
> 
> On Tuesday, February 26, 2013 5:45:24 PM UTC-5, Douglas E. Engert wrote:
> 
> > On 2/26/2013 3:39 PM, Lohit Valleru wrote:
> 
> > 
> 
> > > Dear Community,
> 
> > 
> 
> > >
> 
> > 
> 
> > > I assume, i have mailed to the right community list for these kind of
> 
> > 
> 
> > > questions. If i have mailed to the wrong location - may i please ask for
> 
> > 
> 
> > > the respective mailing address.
> 
> > 
> 
> > >
> 
> > 
> 
> > > I am a system administrator for a high performance cluster, and I am
> 
> > 
> 
> > > thinking of setting up a smartcard authentication with kerberos.
> 
> > 
> 
> > >
> 
> > 
> 
> > > I have already completed kerberos authentication implementation for users
> 
> > 
> 
> > > of the cluster,through kinit and gssapi.
> 
> > 
> 
> > >
> 
> > 
> 
> > > These are the steps that i have followed to setup pkinit with smartcard.
> 
> > 
> 
> > >
> 
> > 
> 
> > > 1. I have created a CA to issue the CA certificates, CAkey and use those to
> 
> > 
> 
> > > create the KDC certificates and Client certificaties as mentioned in the
> 
> > 
> 
> > > below link .
> 
> > 
> 
> > >
> 
> > 
> 
> > > http://web.mit.edu/kerberos/krb5-current/doc/admin/pkinit.html
> 
> > 
> 
> > >
> 
> > 
> 
> > > 2. However, in order to use smartcard along with PAM and kerberos
> 
> > 
> 
> > > authentication - i need to use the CAs given by our organization for the
> 
> > 
> 
> > > smart card, for which we do not have the CA key.
> 
> > 
> 
> > 
> 
> > 
> 
> > Your organization's CA can sign a certificate request created by the
> 
> > 
> 
> > key on the card or by the KDC. The signed request then becomes the certificate.
> 
> > 
> 
> > signed by the CA. You as the Kerberos admin don't need the CA's key.
> 
> > 
> 
> > 
> 
> > 
> 
> > >
> 
> > 
> 
> > > My question is : If we have to use the same CA for KDC, Client and
> 
> > 
> 
> > > Smartcard certificates? or if we could mention 2 different CA's to KDC for
> 
> > 
> 
> > > KDC,Client certificates and Smartcard certicate?
> 
> > 
> 
> > 
> 
> > 
> 
> > You can use different CAs. The client will need a copy of the CA certificate
> 
> > 
> 
> > that signed the KDC's certificate. The KDC needs a copy of the CA certificate
> 
> > 
> 
> > used to sign the smart card certificate. (simplest case.)
> 
> > 
> 
> > 
> 
> > 
> 
> > >
> 
> > 
> 
> > > In that way, It would be helpful - If KDC could use a self-generated CA
> 
> > 
> 
> > > certificate for the KDC and Client certificate, while it will use the
> 
> > 
> 
> > > Smartcard CA certificate for user login authentication with smart card.
> 
> > 
> 
> > >
> 
> > 
> 
> > > Also, may i know how we kinit using smartcard - in order to debug if the
> 
> > 
> 
> > > issue is with PAM login attempt or kerberos authentication.
> 
> > 
> 
> > >
> 
> > 
> 
> > > I would be happy to hear from you.
> 
> > 
> 
> > 
> 
> > 
> 
> > FYI, Windows AD 2003 and above can be used as a KDC and it can do PKINIT.
> 
> > 
> 
> > Windows 7 and above come come with all the software needed if you are
> 
> > 
> 
> > using certain types of smart cards (HSPD-12 PIV) cards for example.
> 
> > 
> 
> > 
> 
> > 
> 
> > Linux and Macs with Kerberos and PKINIT can use AD as the KDC.
> 
> > 
> 
> > 
> 
> > 
> 
> > We use some smart cards with certificates signed by our windows
> 
> > 
> 
> > enterprise CA, as well as government issued cards to login to Windows
> 
> > 
> 
> > or Unix.
> 
> > 
> 
> > 
> 
> > 
> 
> > What cards are you using?
> 
> > 
> 
> > What code to manager the cards?
> 
> > 
> 
> > What code to the cards?
> 
> > 
> 
> > What card readers?
> 
> > 
> 
> > 
> 
> > 
> 
> > 
> 
> > 
> 
> > >
> 
> > 
> 
> > > Thank you
> 
> > 
> 
> > >
> 
> > 
> 
> > > Lohit
> 
> > 
> 
> > > ________________________________________________
> 
> > 
> 
> > > Kerberos mailing list           Kerberos at mit.edu
> 
> > 
> 
> > > https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> > 
> 
> > >
> 
> > 
> 
> > 
> 
> > 
> 
> > -- 
> 
> > 
> 
> > 
> 
> > 
> 
> >   Douglas E. Engert  
> 
> > 
> 
> >   Argonne National Laboratory
> 
> > 
> 
> >   9700 South Cass Avenue
> 
> > 
> 
> >   Argonne, Illinois  60439
> 
> > 
> 
> >   (630) 252-5444
> 
> 
> 
> 
> 
> 
> 
> On Tuesday, February 26, 2013 5:45:24 PM UTC-5, Douglas E. Engert wrote:
> 
> > On 2/26/2013 3:39 PM, Lohit Valleru wrote:
> 
> > 
> 
> > > Dear Community,
> 
> > 
> 
> > >
> 
> > 
> 
> > > I assume, i have mailed to the right community list for these kind of
> 
> > 
> 
> > > questions. If i have mailed to the wrong location - may i please ask for
> 
> > 
> 
> > > the respective mailing address.
> 
> > 
> 
> > >
> 
> > 
> 
> > > I am a system administrator for a high performance cluster, and I am
> 
> > 
> 
> > > thinking of setting up a smartcard authentication with kerberos.
> 
> > 
> 
> > >
> 
> > 
> 
> > > I have already completed kerberos authentication implementation for users
> 
> > 
> 
> > > of the cluster,through kinit and gssapi.
> 
> > 
> 
> > >
> 
> > 
> 
> > > These are the steps that i have followed to setup pkinit with smartcard.
> 
> > 
> 
> > >
> 
> > 
> 
> > > 1. I have created a CA to issue the CA certificates, CAkey and use those to
> 
> > 
> 
> > > create the KDC certificates and Client certificaties as mentioned in the
> 
> > 
> 
> > > below link .
> 
> > 
> 
> > >
> 
> > 
> 
> > > http://web.mit.edu/kerberos/krb5-current/doc/admin/pkinit.html
> 
> > 
> 
> > >
> 
> > 
> 
> > > 2. However, in order to use smartcard along with PAM and kerberos
> 
> > 
> 
> > > authentication - i need to use the CAs given by our organization for the
> 
> > 
> 
> > > smart card, for which we do not have the CA key.
> 
> > 
> 
> > 
> 
> > 
> 
> > Your organization's CA can sign a certificate request created by the
> 
> > 
> 
> > key on the card or by the KDC. The signed request then becomes the certificate.
> 
> > 
> 
> > signed by the CA. You as the Kerberos admin don't need the CA's key.
> 
> > 
> 
> > 
> 
> > 
> 
> > >
> 
> > 
> 
> > > My question is : If we have to use the same CA for KDC, Client and
> 
> > 
> 
> > > Smartcard certificates? or if we could mention 2 different CA's to KDC for
> 
> > 
> 
> > > KDC,Client certificates and Smartcard certicate?
> 
> > 
> 
> > 
> 
> > 
> 
> > You can use different CAs. The client will need a copy of the CA certificate
> 
> > 
> 
> > that signed the KDC's certificate. The KDC needs a copy of the CA certificate
> 
> > 
> 
> > used to sign the smart card certificate. (simplest case.)
> 
> > 
> 
> > 
> 
> > 
> 
> > >
> 
> > 
> 
> > > In that way, It would be helpful - If KDC could use a self-generated CA
> 
> > 
> 
> > > certificate for the KDC and Client certificate, while it will use the
> 
> > 
> 
> > > Smartcard CA certificate for user login authentication with smart card.
> 
> > 
> 
> > >
> 
> > 
> 
> > > Also, may i know how we kinit using smartcard - in order to debug if the
> 
> > 
> 
> > > issue is with PAM login attempt or kerberos authentication.
> 
> > 
> 
> > >
> 
> > 
> 
> > > I would be happy to hear from you.
> 
> > 
> 
> > 
> 
> > 
> 
> > FYI, Windows AD 2003 and above can be used as a KDC and it can do PKINIT.
> 
> > 
> 
> > Windows 7 and above come come with all the software needed if you are
> 
> > 
> 
> > using certain types of smart cards (HSPD-12 PIV) cards for example.
> 
> > 
> 
> > 
> 
> > 
> 
> > Linux and Macs with Kerberos and PKINIT can use AD as the KDC.
> 
> > 
> 
> > 
> 
> > 
> 
> > We use some smart cards with certificates signed by our windows
> 
> > 
> 
> > enterprise CA, as well as government issued cards to login to Windows
> 
> > 
> 
> > or Unix.
> 
> > 
> 
> > 
> 
> > 
> 
> > What cards are you using?
> 
> > 
> 
> > What code to manager the cards?
> 
> > 
> 
> > What code to the cards?
> 
> > 
> 
> > What card readers?
> 
> > 
> 
> > 
> 
> > 
> 
> > 
> 
> > 
> 
> > >
> 
> > 
> 
> > > Thank you
> 
> > 
> 
> > >
> 
> > 
> 
> > > Lohit
> 
> > 
> 
> > > ________________________________________________
> 
> > 
> 
> > > Kerberos mailing list           Kerberos at mit.edu
> 
> > 
> 
> > > https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> > 
> 
> > >
> 
> > 
> 
> > 
> 
> > 
> 
> > -- 
> 
> > 
> 
> > 
> 
> > 
> 
> >   Douglas E. Engert  
> 
> > 
> 
> >   Argonne National Laboratory
> 
> > 
> 
> >   9700 South Cass Avenue
> 
> > 
> 
> >   Argonne, Illinois  60439
> 
> > 
> 
> >   (630) 252-5444



More information about the Kerberos mailing list