Kerberos and smart cards
jarek
jarek at poczta.srv.pl
Fri Sep 27 06:56:55 EDT 2013
Hello!
I'm trying to setup kerberos with smart cards.
I have working kerberos (krb5-kdc 1.10.1+dfsg-5+deb7u1) and one client
on debian wheezy amd64.
Kerberos is working fine with passwords.
I have also ATHENA smart card environment working on client with
pam-pkcs11.
If I enable pam-pkcs11, client can login with card. I it is disabled,
client is authenticated against kerberos with password.
I've found many HOWTOs on Internet but still can't get it working.
After lot of searches on Internet I have the following in krb5.conf on
client:
[libdefaults]
default_realm = ABC.LOCAL
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
pkinit_anchors = FILE:/etc/krb5/cacert.pem
pkinit_identities = PKCS11:libASEP11.so
pkinit_cert_match =&&<EKU>msScLogin,<KU>digitalSignature
I have the following packages installed:
krb5-auth-dialog
krb5-config
krb5-locales erberos
krb5-pkinit
krb5-user
libgssapi-krb5-2
libkrb5-26-heimdal
Libkrb5-3
Libkrb5support0
libpam-krb5
strace shows pkinit.so is loaded, but there is nothing about libASEP11.
KDC configuration:
[realms]
ABC.LOCAL = {
kdc = abc64.abc.local
admin_server = abc64.abc.local
default_realm = ABC.LOCAL
pkinit_identity =
FILE:/var/lib/krb5kdc/kdc.pem,/var/lib/krb5kdc/kdckey.pem
pkinit_anchors = FILE:/var/lib/krb5kdc/cacert.pem
pkinit_eku_checking = kpClientAuth
kdc_tcp_ports = 88
}
More information about the Kerberos
mailing list