Reg: pkinit with smartcard on kerberos V5

lohitv9 lohitv9 at gmail.com
Sat Mar 9 17:43:10 EST 2013 

Hello Douglas,  

Please let me give an explanation of the environment that i am trying to use
smart cards. 

I would like to use both Linux(centos) and Windows as client machines 

However, only Linux( centos) is used as our server operating systems. Centos
is a Red hat linux variant. 

I already have a full configured working setup of : OpenLDAP, GSSAPI, and
Kerberos setup as the User authorization and authentication mechanism with
windows and linux clients. 
OpenLDAP repository is used as a principal database for Kerberos, so
OpenLDAP(389-directory server) is used for authorization and Kerberos is
used for authentication. 

Users can login using password kerberos authentication with ssh and they
will receive kerberos tickets with the current configuration. 

However, i would like to get rid of passwords and use PIV card pkinit
authentication with kerberos instead of using passwords. 

I understand that AD and windows have a good implementation of pkinit but i
do want to use AD for KDC or for directory service. 


I have tried configuring KDC and clients with pkinit for client console
login. 

I would just want the users to get kerberos tickets when they login to Linux
client console. 

Initially - I have tried PAM authentication for smartcard and I was
successful in using Smartcard CA for login using my smart card pin. So i can
login using smartcard to all linux machines. However i also would want to
get kerberos tickets once i login. 

This is where PAM_krb5 and krb5.conf comes into the picture, and i have
configured those too with respect to the pkinit configuration. 

Now when i try to login ( after PAM is configured to use kerberos), i do get
a prompt for entering my pin , but after i enter my pin - Kerberos still
cannot authenticate me, with logs mentioning that : 

*" Decrypt integrity check failed " *

I have searched the forums, and i understand that the above log message
means that, KDC is not able to decrypt either because the password is wrong
or it doesnt support the encryption used. 

I am confused that, if PAM authentication can decrypt and allow me to login
using the SMART card CA . Why is that KDC is not able to decrypt. 

I could be that i did not configure the krb5.conf accurately. 

If i can use kinit to initiate pkinit with smart card, i would then able to
debug if this issue is related to kerberos only or pam and kerberos. 

Please do help me with the respective kerberos configuration for smartcard. 

MY smartcard info is as below : 

Model : ID-One Cosmo 64 v5.2D Fast ATR with PIV application SDK 

I do not know the code used inside the smartcard. 

its uses signature algorithm: sha256rsa.

I use activclient card readers, and they function properly within a linux
environment.

Please do let me know, if i have to provide any more information on the
SMART card itself , or the certificates residing inside the smart card.

-------------------------------------------------------------------------------------------------------

On Tuesday, February 26, 2013 5:45:24 PM UTC-5, Douglas E. Engert wrote: 
> On 2/26/2013 3:39 PM, Lohit Valleru wrote: 
> 
> > Dear Community, 
> 
> > 
> 
> > I assume, i have mailed to the right community list for these kind of 
> 
> > questions. If i have mailed to the wrong location - may i please ask for 
> 
> > the respective mailing address. 
> 
> > 
> 
> > I am a system administrator for a high performance cluster, and I am 
> 
> > thinking of setting up a smartcard authentication with kerberos. 
> 
> > 
> 
> > I have already completed kerberos authentication implementation for
> users 
> 
> > of the cluster,through kinit and gssapi. 
> 
> > 
> 
> > These are the steps that i have followed to setup pkinit with smartcard. 
> 
> > 
> 
> > 1. I have created a CA to issue the CA certificates, CAkey and use those
> to 
> 
> > create the KDC certificates and Client certificaties as mentioned in the 
> 
> > below link . 
> 
> > 
> 
> > http://web.mit.edu/kerberos/krb5-current/doc/admin/pkinit.html 
> 
> > 
> 
> > 2. However, in order to use smartcard along with PAM and kerberos 
> 
> > authentication - i need to use the CAs given by our organization for the 
> 
> > smart card, for which we do not have the CA key. 
> 
> 
> 
> Your organization's CA can sign a certificate request created by the 
> 
> key on the card or by the KDC. The signed request then becomes the
> certificate. 
> 
> signed by the CA. You as the Kerberos admin don't need the CA's key. 


I had asked the above question, assuming if we have to use the SMART card CA
to create the KDC certificate, for which i would have to send the KDC
certificate request to the organization's CA. However I would like to keep a
separate CA for the KDC, and since we can use different CA's - that solves
the above issue.   


> 
> 
> 
> > 
> 
> > My question is : If we have to use the same CA for KDC, Client and 
> 
> > Smartcard certificates? or if we could mention 2 different CA's to KDC
> for 
> 
> > KDC,Client certificates and Smartcard certicate? 
> 
> 
> 
> You can use different CAs. The client will need a copy of the CA
> certificate 
> 
> that signed the KDC's certificate. The KDC needs a copy of the CA
> certificate 
> 
> used to sign the smart card certificate. (simplest case.) 
> 

I do have the CA used to create the KDC, and also the CA used for the
certificate on the SMART/PIV card. I have also configured KDC to use both
CA's under a directory. However, KDC still gives me the error : " Decrypt
Integrity check failed". 



> 
> > 
> 
> > In that way, It would be helpful - If KDC could use a self-generated CA 
> 
> > certificate for the KDC and Client certificate, while it will use the 
> 
> > Smartcard CA certificate for user login authentication with smart card. 
> 
> > 
> 
> > Also, may i know how we kinit using smartcard - in order to debug if the 
> 
> > issue is with PAM login attempt or kerberos authentication. 
> 
> > 
> 
> > I would be happy to hear from you. 
> 
> 
> 
> FYI, Windows AD 2003 and above can be used as a KDC and it can do PKINIT. 
> 
> Windows 7 and above come come with all the software needed if you are 
> 
> using certain types of smart cards (HSPD-12 PIV) cards for example. 
> 
> 
> 
> Linux and Macs with Kerberos and PKINIT can use AD as the KDC. 
> 
> 
> 
> We use some smart cards with certificates signed by our windows 
> 
> enterprise CA, as well as government issued cards to login to Windows 
> 
> or Unix. 
> 
> 
> 
> What cards are you using? 
> 
> What code to manager the cards? 
> 
> What code to the cards? 
> 
> What card readers? 
> 
> 
> 
> 
> 
> > 
> 
> > Thank you 
> 
> > 
> 
> > Lohit 
> 
> > ________________________________________________ 
> 
> > Kerberos mailing list           Kerberos at mit.edu 
> 
> > https://mailman.mit.edu/mailman/listinfo/kerberos 
> 
> > 
> 
> 
> 
> -- 
> 
> 
> 
>   Douglas E. Engert  <DEEngert at anl.gov> 
> 
>   Argonne National Laboratory 
> 
>   9700 South Cass Avenue 
> 
>   Argonne, Illinois  60439 
> 
>   (630) 252-5444 



--
View this message in context: http://kerberos.996246.n3.nabble.com/Reg-pkinit-with-smartcard-on-kerberos-V5-tp36617p36692.html
Sent from the Kerberos - General mailing list archive at Nabble.com.

More information about the Kerberos mailing list