Reg: pkinit with smartcard on kerberos V5

Nalin Dahyabhai nalin at redhat.com
Tue Mar 12 17:55:55 EDT 2013 

On Sun, Mar 10, 2013 at 07:24:54PM -0500, Douglas E. Engert wrote:
> On 3/9/2013 11:48 AM, lohitv9 at gmail.com wrote:
> > Hello Douglas,
> >
> > Thank you for your reply. It gives me a hope to solve the ongoing issue.
> >
> > Please let me give an explanation of the environment that i am trying to use smart cards.
> >
> > I would like to use both Linux(centos) and Windows as client machines
> 
> I have been talking to another individual about PKINIT with GDM on CentOS.
> It is not clear if the CentOS pam_krb5 supports PKINIT or not. I do
> not have a CentOS system to test.  (Maybe someone else on the list knows
> if the CentOS pam_krb5 can do PKINIT.)

Yes, it can.

The short version is that you want to get kinit working first - this
means configuring krb5.conf with the usual pkinit_anchors and, if
needed, pkinit_pool settings.

If the KDC's certificate isn't quite what the client module is expecting
(for example, if the KDC is an AD domain controller using a domain
controller certificate issued by ADCS), using pkinit_kdc_hostname (set
to the domain controller's idea of what its hostname is) and/or
pkinit_eku_checking (set to "kpServerAuth") may also be necessary.

And if the PKINIT module (in the krb5-pkinit-openssl binary package in
CentOS 6) can't select exactly one certificate from the client's smart
card, you'll also need to set pkinit_cert_match to a value that'll
instruct PKINIT on how to do so (depending on the PIV card, we sometimes
have to go with "<KU>digitalSignature<EKU>msScLogin").

The last thing you'd need to set is the location of the client's
credentials.  My personal preference is to only set that when you intend
to use PKINIT, for example by passing the location in in the form of an
option to kinit:
  kinit -X X509_user_identity=PKCS11:my_pkcs11_module.so

The pam_krb5 that comes with CentOS can take similar settings via the
module's "preauth_options" option, so you'd want to add this to the
relevant "auth" line in the right PAM configuration file (probably
/etc/pam.d/smartcard-auth):
  preauth_options=X509_user_identity=PKCS11:my_pkcs11_module.so

If there's no other module being invoked before pam_krb5 that's asking
for a password, you'll want to suppress pam_krb5's default behavior of
prompting for a password first by also giving the module its
"no_initial_prompt" option.

If pam_pkcs11's invoked first, or some other module is but you're still
certain that the other module is setting a PAM_AUTHTOK value that's a
smart card PIN and not a password, you can force pam_krb5 to just supply
that value when libkrb5 prompts for something, rather than asking the
application to ask the user, by specifying the module's
"no_subsequent_prompt" option.

HTH,

Nalin

More information about the Kerberos mailing list