Reg: pkinit with smartcard on kerberos V5
Douglas E. Engert
deengert at anl.gov
Sun Mar 10 20:24:54 EDT 2013
On 3/9/2013 11:48 AM, lohitv9 at gmail.com wrote:
> Hello Douglas,
>
> Thank you for your reply. It gives me a hope to solve the ongoing issue.
>
> Please let me give an explanation of the environment that i am trying to use smart cards.
>
> I would like to use both Linux(centos) and Windows as client machines
I have been talking to another individual about PKINIT with GDM on CentOS.
It is not clear if the CentOS pam_krb5 supports PKINIT or not. I do
not have a CentOS system to test. (Maybe someone else on the list knows
if the CentOS pam_krb5 can do PKINIT.)
You say below that you can logon to the system with the smart card,
but that may be a local logon to the machine done with the pam_pkcs11.so
module, not with the pam_krb5. Check the pam configuration files.
>
> However, only Linux( centos) is used as our server operating systems. Centos is a Red hat linux variant.
>
> I already have a full configured working setup of : OpenLDAP, GSSAPI, and Kerberos setup as the User authorization and authentication mechanism with windows and linux clients.
> OpenLDAP repository is used as a principal database for Kerberos, so OpenLDAP(389-directory server) is used for authorization and Kerberos is used for authentication.
>
> Users can login using password kerberos authentication with ssh and they will receive kerberos tickets with the current configuration.
>
> However, i would like to get rid of passwords and use PIV card pkinit authentication with kerberos instead of using passwords.
>
> I understand that AD and windows have a good implementation of pkinit but i do want to use AD for KDC or for directory service.
>
Yes, so if you wish t use AD as the KDC, with smartcard,
you should make sure Windows smartcard login works first.
Windows 7 has all the PCSC and PIV drivers built in, so there
is no extra code.
>
> I have tried configuring KDC and clients with pkinit for client console login.
>
> I would just want the users to get kerberos tickets when they login to Linux client console.
>
> Initially - I have tried PAM authentication for smartcard and I was successful in using Smartcard CA for login using my smart card pin. So i can login using smartcard to all linux machines. However i also would want to get kerberos tickets once i login.
>
> This is where PAM_krb5 and krb5.conf comes into the picture, and i have configured those too with respect to the pkinit configuration.
>
There are many implementations of pam_krb5 based on different code bases.
I have had good success using the Debian version on Solaris and Ubuntu
that comes with this verision.)
http://www.eyrie.org/~eagle/software/pam-krb5/
If the CentOS pam-krb5 does not support PKINIT, you may want to try
the above version. (Or try running Ubuntu or Debian OS as a test.)
> Now when i try to login ( after PAM is configured to use kerberos), i do get a prompt for entering my pin , but after i enter my pin - Kerberos still cannot authenticate me, with logs mentioning that :
>
The PIN prompt may be from pam_pkcs11.so, not the pam_krb5.
> " Decrypt integrity check failed"
>
This usually means the password is not valid, or a keytab does not match the the KDC's
version.
> I have searched the forums, and i understand that the above log message means that, KDC is not able to decrypt either because the password is wrong or it doesnt support the encryption used.
>
> I am confused that, if PAM authentication can decrypt and allow me to login using the SMART card CA . Why is that KDC is not able to decrypt.
>
The login may be from the pam_pkcs11.so
All pam modules accept a debug option to write debug info
to syslog. You may want to add the debug option to the pam_pkcs11.so and pam_krb5.so
lines in the pam config files.
Wireshark network traces can also help, as it can show a lot of the
Kerberos packets.
> I could be that i did not configure the krb5.conf accurately.
>
> If i can use kinit to initiate pkinit with smart card, i would then able to debug if this issue is related to kerberos only or pam and kerberos.
>
Yes kinit can use PKINIT, even if the pam_krb5 can not.
> Please do help me with the respective kerberos configuration for smartcard.
>
> MY smartcard info is as below :
>
> Model : ID-One Cosmo 64 v5.2D Fast ATR with PIV application SDK
>
I am assuming that the card was issued to you by some government CA.
> I do not know the code used inside the smartcard.
>
> its uses signature algorithm: sha256rsa
>
>
> Also please do find my comments as below .
>
> Thank you for your help, and I would be happy to hear from you.
>
> Regards,
>
> Lohit
>
>
I am out of the office all next week and may not respond quickly.
On Tuesday, February 26, 2013 5:45:24 PM UTC-5, Douglas E. Engert wrote:
>> On 2/26/2013 3:39 PM, Lohit Valleru wrote:
>>
>>> Dear Community,
>>
>>>
>>
>>> I assume, i have mailed to the right community list for these kind of
>>
>>> questions. If i have mailed to the wrong location - may i please ask for
>>
>>> the respective mailing address.
>>
>>>
>>
>>> I am a system administrator for a high performance cluster, and I am
>>
>>> thinking of setting up a smartcard authentication with kerberos.
>>
>>>
>>
>>> I have already completed kerberos authentication implementation for users
>>
>>> of the cluster,through kinit and gssapi.
>>
>>>
>>
>>> These are the steps that i have followed to setup pkinit with smartcard.
>>
>>>
>>
>>> 1. I have created a CA to issue the CA certificates, CAkey and use those to
>>
>>> create the KDC certificates and Client certificaties as mentioned in the
>>
>>> below link .
>>
>>>
>>
>>> http://web.mit.edu/kerberos/krb5-current/doc/admin/pkinit.html
>>
>>>
>>
>>> 2. However, in order to use smartcard along with PAM and kerberos
>>
>>> authentication - i need to use the CAs given by our organization for the
>>
>>> smart card, for which we do not have the CA key.
>>
>>
>>
>> Your organization's CA can sign a certificate request created by the
>>
>> key on the card or by the KDC. The signed request then becomes the certificate.
>>
>> signed by the CA. You as the Kerberos admin don't need the CA's key.
>
>
> I had asked the above question, assuming if we have to use the SMART card CA to create the KDC certificate, for which i would have to send the KDC certificate request to the organization's CA. However I would like to keep a separate CA for the KDC, and since we can use different CA's - that solves the above issue.
>
>
>>
>>
>>
>>>
>>
>>> My question is : If we have to use the same CA for KDC, Client and
>>
>>> Smartcard certificates? or if we could mention 2 different CA's to KDC for
>>
>>> KDC,Client certificates and Smartcard certicate?
>>
>>
>>
>> You can use different CAs. The client will need a copy of the CA certificate
>>
>> that signed the KDC's certificate. The KDC needs a copy of the CA certificate
>>
>> used to sign the smart card certificate. (simplest case.)
>>
>
> I do have the CA used to create the KDC, and also the CA used for the certificate on the SMART/PIV card. I have also configured KDC to use both CA's under a directory. However, KDC still gives me the error : " Decrypt Integrity check failed".
>
>
>
>>
>>>
>>
>>> In that way, It would be helpful - If KDC could use a self-generated CA
>>
>>> certificate for the KDC and Client certificate, while it will use the
>>
>>> Smartcard CA certificate for user login authentication with smart card.
>>
>>>
>>
>>> Also, may i know how we kinit using smartcard - in order to debug if the
>>
>>> issue is with PAM login attempt or kerberos authentication.
>>
>>>
>>
>>> I would be happy to hear from you.
>>
>>
>>
>> FYI, Windows AD 2003 and above can be used as a KDC and it can do PKINIT.
>>
>> Windows 7 and above come come with all the software needed if you are
>>
>> using certain types of smart cards (HSPD-12 PIV) cards for example.
>>
>>
>>
>> Linux and Macs with Kerberos and PKINIT can use AD as the KDC.
>>
>>
>>
>> We use some smart cards with certificates signed by our windows
>>
>> enterprise CA, as well as government issued cards to login to Windows
>>
>> or Unix.
>>
>>
>>
>> What cards are you using?
>>
>> What code to manager the cards?
>>
>> What code to the cards?
>>
>> What card readers?
>>
>>
>>
>>
>>
>>>
>>
>>> Thank you
>>
>>>
>>
>>> Lohit
>>
>>> ________________________________________________
>>
>>> Kerberos mailing list Kerberos at mit.edu
>>
>>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>>>
>>
>>
>>
>> --
>>
>>
>>
>> Douglas E. Engert <DEEngert at anl.gov>
>>
>> Argonne National Laboratory
>>
>> 9700 South Cass Avenue
>>
>> Argonne, Illinois 60439
>>
>> (630) 252-5444
>
>
>
> On Tuesday, February 26, 2013 5:45:24 PM UTC-5, Douglas E. Engert wrote:
>> On 2/26/2013 3:39 PM, Lohit Valleru wrote:
>>
>>> Dear Community,
>>
>>>
>>
>>> I assume, i have mailed to the right community list for these kind of
>>
>>> questions. If i have mailed to the wrong location - may i please ask for
>>
>>> the respective mailing address.
>>
>>>
>>
>>> I am a system administrator for a high performance cluster, and I am
>>
>>> thinking of setting up a smartcard authentication with kerberos.
>>
>>>
>>
>>> I have already completed kerberos authentication implementation for users
>>
>>> of the cluster,through kinit and gssapi.
>>
>>>
>>
>>> These are the steps that i have followed to setup pkinit with smartcard.
>>
>>>
>>
>>> 1. I have created a CA to issue the CA certificates, CAkey and use those to
>>
>>> create the KDC certificates and Client certificaties as mentioned in the
>>
>>> below link .
>>
>>>
>>
>>> http://web.mit.edu/kerberos/krb5-current/doc/admin/pkinit.html
>>
>>>
>>
>>> 2. However, in order to use smartcard along with PAM and kerberos
>>
>>> authentication - i need to use the CAs given by our organization for the
>>
>>> smart card, for which we do not have the CA key.
>>
>>
>>
>> Your organization's CA can sign a certificate request created by the
>>
>> key on the card or by the KDC. The signed request then becomes the certificate.
>>
>> signed by the CA. You as the Kerberos admin don't need the CA's key.
>>
>>
>>
>>>
>>
>>> My question is : If we have to use the same CA for KDC, Client and
>>
>>> Smartcard certificates? or if we could mention 2 different CA's to KDC for
>>
>>> KDC,Client certificates and Smartcard certicate?
>>
>>
>>
>> You can use different CAs. The client will need a copy of the CA certificate
>>
>> that signed the KDC's certificate. The KDC needs a copy of the CA certificate
>>
>> used to sign the smart card certificate. (simplest case.)
>>
>>
>>
>>>
>>
>>> In that way, It would be helpful - If KDC could use a self-generated CA
>>
>>> certificate for the KDC and Client certificate, while it will use the
>>
>>> Smartcard CA certificate for user login authentication with smart card.
>>
>>>
>>
>>> Also, may i know how we kinit using smartcard - in order to debug if the
>>
>>> issue is with PAM login attempt or kerberos authentication.
>>
>>>
>>
>>> I would be happy to hear from you.
>>
>>
>>
>> FYI, Windows AD 2003 and above can be used as a KDC and it can do PKINIT.
>>
>> Windows 7 and above come come with all the software needed if you are
>>
>> using certain types of smart cards (HSPD-12 PIV) cards for example.
>>
>>
>>
>> Linux and Macs with Kerberos and PKINIT can use AD as the KDC.
>>
>>
>>
>> We use some smart cards with certificates signed by our windows
>>
>> enterprise CA, as well as government issued cards to login to Windows
>>
>> or Unix.
>>
>>
>>
>> What cards are you using?
>>
>> What code to manager the cards?
>>
>> What code to the cards?
>>
>> What card readers?
>>
>>
>>
>>
>>
>>>
>>
>>> Thank you
>>
>>>
>>
>>> Lohit
>>
>>> ________________________________________________
>>
>>> Kerberos mailing list Kerberos at mit.edu
>>
>>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>>>
>>
>>
>>
>> --
>>
>>
>>
>> Douglas E. Engert <DEEngert at anl.gov>
>>
>> Argonne National Laboratory
>>
>> 9700 South Cass Avenue
>>
>> Argonne, Illinois 60439
>>
>> (630) 252-5444
>
>
>
> On Tuesday, February 26, 2013 5:45:24 PM UTC-5, Douglas E. Engert wrote:
>> On 2/26/2013 3:39 PM, Lohit Valleru wrote:
>>
>>> Dear Community,
>>
>>>
>>
>>> I assume, i have mailed to the right community list for these kind of
>>
>>> questions. If i have mailed to the wrong location - may i please ask for
>>
>>> the respective mailing address.
>>
>>>
>>
>>> I am a system administrator for a high performance cluster, and I am
>>
>>> thinking of setting up a smartcard authentication with kerberos.
>>
>>>
>>
>>> I have already completed kerberos authentication implementation for users
>>
>>> of the cluster,through kinit and gssapi.
>>
>>>
>>
>>> These are the steps that i have followed to setup pkinit with smartcard.
>>
>>>
>>
>>> 1. I have created a CA to issue the CA certificates, CAkey and use those to
>>
>>> create the KDC certificates and Client certificaties as mentioned in the
>>
>>> below link .
>>
>>>
>>
>>> http://web.mit.edu/kerberos/krb5-current/doc/admin/pkinit.html
>>
>>>
>>
>>> 2. However, in order to use smartcard along with PAM and kerberos
>>
>>> authentication - i need to use the CAs given by our organization for the
>>
>>> smart card, for which we do not have the CA key.
>>
>>
>>
>> Your organization's CA can sign a certificate request created by the
>>
>> key on the card or by the KDC. The signed request then becomes the certificate.
>>
>> signed by the CA. You as the Kerberos admin don't need the CA's key.
>>
>>
>>
>>>
>>
>>> My question is : If we have to use the same CA for KDC, Client and
>>
>>> Smartcard certificates? or if we could mention 2 different CA's to KDC for
>>
>>> KDC,Client certificates and Smartcard certicate?
>>
>>
>>
>> You can use different CAs. The client will need a copy of the CA certificate
>>
>> that signed the KDC's certificate. The KDC needs a copy of the CA certificate
>>
>> used to sign the smart card certificate. (simplest case.)
>>
>>
>>
>>>
>>
>>> In that way, It would be helpful - If KDC could use a self-generated CA
>>
>>> certificate for the KDC and Client certificate, while it will use the
>>
>>> Smartcard CA certificate for user login authentication with smart card.
>>
>>>
>>
>>> Also, may i know how we kinit using smartcard - in order to debug if the
>>
>>> issue is with PAM login attempt or kerberos authentication.
>>
>>>
>>
>>> I would be happy to hear from you.
>>
>>
>>
>> FYI, Windows AD 2003 and above can be used as a KDC and it can do PKINIT.
>>
>> Windows 7 and above come come with all the software needed if you are
>>
>> using certain types of smart cards (HSPD-12 PIV) cards for example.
>>
>>
>>
>> Linux and Macs with Kerberos and PKINIT can use AD as the KDC.
>>
>>
>>
>> We use some smart cards with certificates signed by our windows
>>
>> enterprise CA, as well as government issued cards to login to Windows
>>
>> or Unix.
>>
>>
>>
>> What cards are you using?
>>
>> What code to manager the cards?
>>
>> What code to the cards?
>>
>> What card readers?
>>
>>
>>
>>
>>
>>>
>>
>>> Thank you
>>
>>>
>>
>>> Lohit
>>
>>> ________________________________________________
>>
>>> Kerberos mailing list Kerberos at mit.edu
>>
>>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>>>
>>
>>
>>
>> --
>>
>>
>>
>> Douglas E. Engert <DEEngert at anl.gov>
>>
>> Argonne National Laboratory
>>
>> 9700 South Cass Avenue
>>
>> Argonne, Illinois 60439
>>
>> (630) 252-5444
>
>
>
> On Tuesday, February 26, 2013 5:45:24 PM UTC-5, Douglas E. Engert wrote:
>> On 2/26/2013 3:39 PM, Lohit Valleru wrote:
>>
>>> Dear Community,
>>
>>>
>>
>>> I assume, i have mailed to the right community list for these kind of
>>
>>> questions. If i have mailed to the wrong location - may i please ask for
>>
>>> the respective mailing address.
>>
>>>
>>
>>> I am a system administrator for a high performance cluster, and I am
>>
>>> thinking of setting up a smartcard authentication with kerberos.
>>
>>>
>>
>>> I have already completed kerberos authentication implementation for users
>>
>>> of the cluster,through kinit and gssapi.
>>
>>>
>>
>>> These are the steps that i have followed to setup pkinit with smartcard.
>>
>>>
>>
>>> 1. I have created a CA to issue the CA certificates, CAkey and use those to
>>
>>> create the KDC certificates and Client certificaties as mentioned in the
>>
>>> below link .
>>
>>>
>>
>>> http://web.mit.edu/kerberos/krb5-current/doc/admin/pkinit.html
>>
>>>
>>
>>> 2. However, in order to use smartcard along with PAM and kerberos
>>
>>> authentication - i need to use the CAs given by our organization for the
>>
>>> smart card, for which we do not have the CA key.
>>
>>
>>
>> Your organization's CA can sign a certificate request created by the
>>
>> key on the card or by the KDC. The signed request then becomes the certificate.
>>
>> signed by the CA. You as the Kerberos admin don't need the CA's key.
>>
>>
>>
>>>
>>
>>> My question is : If we have to use the same CA for KDC, Client and
>>
>>> Smartcard certificates? or if we could mention 2 different CA's to KDC for
>>
>>> KDC,Client certificates and Smartcard certicate?
>>
>>
>>
>> You can use different CAs. The client will need a copy of the CA certificate
>>
>> that signed the KDC's certificate. The KDC needs a copy of the CA certificate
>>
>> used to sign the smart card certificate. (simplest case.)
>>
>>
>>
>>>
>>
>>> In that way, It would be helpful - If KDC could use a self-generated CA
>>
>>> certificate for the KDC and Client certificate, while it will use the
>>
>>> Smartcard CA certificate for user login authentication with smart card.
>>
>>>
>>
>>> Also, may i know how we kinit using smartcard - in order to debug if the
>>
>>> issue is with PAM login attempt or kerberos authentication.
>>
>>>
>>
>>> I would be happy to hear from you.
>>
>>
>>
>> FYI, Windows AD 2003 and above can be used as a KDC and it can do PKINIT.
>>
>> Windows 7 and above come come with all the software needed if you are
>>
>> using certain types of smart cards (HSPD-12 PIV) cards for example.
>>
>>
>>
>> Linux and Macs with Kerberos and PKINIT can use AD as the KDC.
>>
>>
>>
>> We use some smart cards with certificates signed by our windows
>>
>> enterprise CA, as well as government issued cards to login to Windows
>>
>> or Unix.
>>
>>
>>
>> What cards are you using?
>>
>> What code to manager the cards?
>>
>> What code to the cards?
>>
>> What card readers?
>>
>>
>>
>>
>>
>>>
>>
>>> Thank you
>>
>>>
>>
>>> Lohit
>>
>>> ________________________________________________
>>
>>> Kerberos mailing list Kerberos at mit.edu
>>
>>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>>>
>>
>>
>>
>> --
>>
>>
>>
>> Douglas E. Engert <DEEngert at anl.gov>
>>
>> Argonne National Laboratory
>>
>> 9700 South Cass Avenue
>>
>> Argonne, Illinois 60439
>>
>> (630) 252-5444
>
>
>
> On Tuesday, February 26, 2013 5:45:24 PM UTC-5, Douglas E. Engert wrote:
>> On 2/26/2013 3:39 PM, Lohit Valleru wrote:
>>
>>> Dear Community,
>>
>>>
>>
>>> I assume, i have mailed to the right community list for these kind of
>>
>>> questions. If i have mailed to the wrong location - may i please ask for
>>
>>> the respective mailing address.
>>
>>>
>>
>>> I am a system administrator for a high performance cluster, and I am
>>
>>> thinking of setting up a smartcard authentication with kerberos.
>>
>>>
>>
>>> I have already completed kerberos authentication implementation for users
>>
>>> of the cluster,through kinit and gssapi.
>>
>>>
>>
>>> These are the steps that i have followed to setup pkinit with smartcard.
>>
>>>
>>
>>> 1. I have created a CA to issue the CA certificates, CAkey and use those to
>>
>>> create the KDC certificates and Client certificaties as mentioned in the
>>
>>> below link .
>>
>>>
>>
>>> http://web.mit.edu/kerberos/krb5-current/doc/admin/pkinit.html
>>
>>>
>>
>>> 2. However, in order to use smartcard along with PAM and kerberos
>>
>>> authentication - i need to use the CAs given by our organization for the
>>
>>> smart card, for which we do not have the CA key.
>>
>>
>>
>> Your organization's CA can sign a certificate request created by the
>>
>> key on the card or by the KDC. The signed request then becomes the certificate.
>>
>> signed by the CA. You as the Kerberos admin don't need the CA's key.
>>
>>
>>
>>>
>>
>>> My question is : If we have to use the same CA for KDC, Client and
>>
>>> Smartcard certificates? or if we could mention 2 different CA's to KDC for
>>
>>> KDC,Client certificates and Smartcard certicate?
>>
>>
>>
>> You can use different CAs. The client will need a copy of the CA certificate
>>
>> that signed the KDC's certificate. The KDC needs a copy of the CA certificate
>>
>> used to sign the smart card certificate. (simplest case.)
>>
>>
>>
>>>
>>
>>> In that way, It would be helpful - If KDC could use a self-generated CA
>>
>>> certificate for the KDC and Client certificate, while it will use the
>>
>>> Smartcard CA certificate for user login authentication with smart card.
>>
>>>
>>
>>> Also, may i know how we kinit using smartcard - in order to debug if the
>>
>>> issue is with PAM login attempt or kerberos authentication.
>>
>>>
>>
>>> I would be happy to hear from you.
>>
>>
>>
>> FYI, Windows AD 2003 and above can be used as a KDC and it can do PKINIT.
>>
>> Windows 7 and above come come with all the software needed if you are
>>
>> using certain types of smart cards (HSPD-12 PIV) cards for example.
>>
>>
>>
>> Linux and Macs with Kerberos and PKINIT can use AD as the KDC.
>>
>>
>>
>> We use some smart cards with certificates signed by our windows
>>
>> enterprise CA, as well as government issued cards to login to Windows
>>
>> or Unix.
>>
>>
>>
>> What cards are you using?
>>
>> What code to manager the cards?
>>
>> What code to the cards?
>>
>> What card readers?
>>
>>
>>
>>
>>
>>>
>>
>>> Thank you
>>
>>>
>>
>>> Lohit
>>
>>> ________________________________________________
>>
>>> Kerberos mailing list Kerberos at mit.edu
>>
>>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>>>
>>
>>
>>
>> --
>>
>>
>>
>> Douglas E. Engert <DEEngert at anl.gov>
>>
>> Argonne National Laboratory
>>
>> 9700 South Cass Avenue
>>
>> Argonne, Illinois 60439
>>
>> (630) 252-5444
>
>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> .
>
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the Kerberos
mailing list