pkinit for multiple user support

Douglas E. Engert deengert at anl.gov
Wed May 29 10:36:34 EDT 2013 


On 5/29/2013 1:08 AM, sasikumar bodathula wrote:
> Forgot to mention following in previous e-mail.
>
> some more info Tried kinit with X509_user_pool(Does this exists since kinit did not complain) and X509_user_identity options with DIR (Is this supported or for each user specific file need to be mentioned in the kinit command with FILE:options)
>
> Best Regards,
>
> B.Sasikumar.
>
>
> From: "sasikumar bodathula"<sasikumar.b at rediffmail.com>
> Sent: Wed, 29 May 2013 11:24:04
> To: "kerberos at MIT.EDU"<kerberos at MIT.EDU>
> Subject: pkinit for multiple user support
> Hi,
>   I am trying to test multiple user with certificated(pkinit)
>
> Following are the steps were followed
>
> 1. In KDC created 2 users testuser and testuser2 and enabled +requires_preauth with modprinc
>
> 2. Created CA certificate and KDC certifcate
>
> krb5.conf in KDC contains
> pkinit_identity = FILE:/etc/krb5kdc/kdc.pem,/etc/krb5kdc/kdckey.pem
> pkinit_anchors = FILE:/etc/krb5kdc/cacert.pem
>
> 3. Created certificate for testuser with CA created in step2
>
> 4. Created certificate for testuser2 with CA created in step2
>
> krb5.conf in Client machine
> pkinit_pool = DIR:/etc/certificates/usercerts/
> pkinit_anchors = DIR:/etc/certificates/usercerts/
>
> Kinit command for testuser
>
> kinit -V -X
> X509_user_pool=DIR:/etc/certificates/usercerts/ -X
> X509_anchors=DIR:/etc/certificates/usercerts/ -X
> flag_RSA_PROTOCOL=yes testuser

Did you forget the -X X509_user_identity=... pointing at the user's cert and key?


> Kinit command for testuser2
>
> kinit -V -X
> X509_user_pool=DIR:/etc/certificates/usercerts/ -X
> X509_anchors=DIR:/etc/certificates/usercerts/ -X
> flag_RSA_PROTOCOL=yes testuser2
>
> In both the cases kinit prompts for password
>
> NOTE:-
> 1. If certificated specified instead of directory it works fine does not prompt for password.
> 2. Both testuser and testuser2 certificated along with CA are placed in same location "/etc/certificates/usercerts/"

The key is most important. Only a user should have access to their key.


>
> Please guide me if I am missing something important in this procedure.
>
> Best Regards,
>
> B.Sasikumar.
>
> Get your own FREE website and domain with business email solutions, click here
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list