Kerberos and smart cards

jarek jarek at poczta.srv.pl
Fri Sep 27 06:56:55 EDT 2013


Hello!

I'm trying to setup kerberos with smart cards.
I have working kerberos (krb5-kdc 1.10.1+dfsg-5+deb7u1) and one client
on debian wheezy amd64.
Kerberos is working fine with passwords.
I have also ATHENA smart card environment working on client with
pam-pkcs11.
If I enable pam-pkcs11, client can login with card. I it is disabled,
client is authenticated against kerberos with password.

I've found many HOWTOs on Internet but still can't get it working.

After lot of searches on Internet I have the following in krb5.conf on
client:

[libdefaults]
	default_realm = ABC.LOCAL
	krb4_config = /etc/krb.conf
	krb4_realms = /etc/krb.realms
	kdc_timesync = 1
	ccache_type = 4
	forwardable = true
	proxiable = true
	pkinit_anchors = FILE:/etc/krb5/cacert.pem
	pkinit_identities = PKCS11:libASEP11.so
	pkinit_cert_match =&&<EKU>msScLogin,<KU>digitalSignature

I have the following packages installed:

krb5-auth-dialog
krb5-config
krb5-locales erberos               
krb5-pkinit
krb5-user
libgssapi-krb5-2
libkrb5-26-heimdal
Libkrb5-3
Libkrb5support0
libpam-krb5

strace shows pkinit.so is loaded, but there is nothing about libASEP11.

KDC configuration:

[realms]
	ABC.LOCAL = {
		kdc = abc64.abc.local
		admin_server = abc64.abc.local
		default_realm = ABC.LOCAL
		pkinit_identity =
FILE:/var/lib/krb5kdc/kdc.pem,/var/lib/krb5kdc/kdckey.pem
		pkinit_anchors = FILE:/var/lib/krb5kdc/cacert.pem
		pkinit_eku_checking = kpClientAuth
		kdc_tcp_ports = 88
	}





More information about the Kerberos mailing list