krb5-1.12.1, pkinit, and openssl ca
squidmobile@fastmail.fm
squidmobile at fastmail.fm
Tue Jun 10 20:00:42 EDT 2014
10 jun 2014
i worked up this reply yesterday, and just got the chance to post it.
i think it confirms your guesses about what i did. i'll try your
suggestions
and get back to you.
thank you very much. that looks like the most promising approach
i've seen ANYWHERE.
frank smith
09 jun 2014
greetings,
first, a note: i upgraded openssl
from openssl-1.0.1g
to openssl-1.0.1h
and
from openssl-0.9.8y
to openssl-0.9.8za
i then recompiled and reinstalled everything that depended upon it,
INCLUDING krb5-1.12.1. i expect no operational differences, but it
IS a change in my system configuration.
your wish is my command.
i went back, and logged the entire client certificate creation
process from start to stop, the same way i logged the kdc
certificate creation process. i omitted it earlier because i
figured if i got the server process correct, then i probably got
the client process correct.
however, something clearly does not work for me... the only thing
that creates just a twinge is the embedded slash (/) i included in
my principal name in the cn field of the client certificate.
however, i figured:
1. openssl should be smart enough to know where its data fields
start and end.
2. if it was an illegal character, then the openssl commands (req
and ca) should have screamed about it.
3. the subjectaltname/othername field should also have screamed.
(as an aside: WOW! FOUR issues in one post! when i stumble
around breaking things, i do it up right! *grin*)
on a more serious note, i wondered about pkinit_identity versus
pkinit_identities at the time, but i knew the different files
(kdc.conf versus krb5.conf) would differentiate between purposes.
is there a reason to keep the labels different, or could you follow
the examples of pkinit_anchors and pkinit_pool, and use
pkinit_identity in both files? pkinit_identit* seems to function
the same way in both files, in that you have a certificate file
and its related key file. plus, both use the same FILE: or DIR:
syntax.
thank you for your time and assistance.
frank smith
### (some) long lines broken to improve readability
Script started on Mon 09 Jun 2014 07:53:49 PM EDT
hostname(test) 1 $ ksh -xv /tmp/gigo.sh
openssl genpkey -algorithm rsa -pkeyopt rsa_keygen_bits:4096
\
-outform PEM -out private/krb5.usr.key.pem
+ openssl genpkey -algorithm rsa -pkeyopt rsa_keygen_bits:4096
-outform PEM -out private/krb5.usr.key.pem
...........................++
...............................................................................................................................................++
head -2 private/krb5.usr.key.pem
+ head -2 private/krb5.usr.key.pem
-----BEGIN PRIVATE KEY-----
MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQDXSZRE7Ke1mHdX
/local/sbin/mk.tls.usr.req krb5 my-principal
+ /local/sbin/mk.tls.usr.req krb5 my-principal
suggestions for questions below:
o: domain.name
ou: krb5 client
cn: client = my-principal
Using configuration from /local/package/openssl-1.0.1h/ssl/openssl.cnf
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a
DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [na]:
Locality Name (eg, city) []:.
Organization Name (eg, company) [Internet Widgits Pty Ltd]:domain.name
Organizational Unit Name (eg, section) []:krb5 client
Common Name (e.g. server FQDN or YOUR name) []:client = my/principal
Email Address []:.
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:.
An optional company name []:.
head -2 requests/krb5.usr.my-principal.req.pem
+ head -2 requests/krb5.usr.my-principal.req.pem
-----BEGIN CERTIFICATE REQUEST-----
MIIEsDCCApgCAQAwazELMAkGA1UEBhMCVVMxDTALBgNVBAgMBG15b2IxFzAVBgNV
hostname(test) 2 $
Script done on Mon 09 Jun 2014 07:54:24 PM EDT
Script started on Mon 09 Jun 2014 08:05:19 PM EDT
hostname(root) 1 $ ksh -xv /tmp/gigo.sh
cat extensions/extensions.client
+ cat extensions/extensions.client
[client_cert]
basicConstraints=CA:FALSE
keyUsage=digitalSignature,keyEncipherment,keyAgreement
extendedKeyUsage=1.3.6.1.5.2.3.4
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
issuerAltName=issuer:copy
subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:princ_name
[princ_name]
realm=EXP:0,GeneralString:${ENV::REALM}
principal_name=EXP:1,SEQUENCE:principal_seq
[principal_seq]
name_type=EXP:0,INTEGER:1
name_string=EXP:1,SEQUENCE:principals
[principals]
princ1=GeneralString:${ENV::CLIENT}
env REALM=DOMAIN.NAME CLIENT=my/principal \
openssl ca -verbose -md sha256 -notext -create_serial \
-extfile extensions/extensions.client \
-extensions client_cert \
-cert certs/krb5.ca.cert.pem \
-keyfile private/krb5.ca.key.pem \
-enddate 140612000000Z \
-in requests/krb5.usr.my-principal.req.pem \
-out certs/krb5.usr.my-principal.cert.pem
+ env REALM=DOMAIN.NAME CLIENT=my/principal openssl ca -verbose
-md sha256 -notext -create_serial
-extfile extensions/extensions.client -extensions client_cert
-cert certs/krb5.ca.cert.pem -keyfile private/krb5.ca.key.pem
-enddate 140612000000Z -in requests/krb5.usr.my-principal.req.pem
-out certs/krb5.usr.my-principal.cert.pem
Using configuration from /local/package/openssl-1.0.1h/ssl/openssl.cnf
Enter pass phrase for private/krb5.ca.key.pem:
V 160102000000Z A74E735D6DABABAF unknown
/C=US/ST=na/O=domain.name/OU=krb5 server/CN=server = kdc
V 160102000000Z A74E735D6DABABB0 unknown
/C=US/ST=na/O=domain.name/OU=krb5 server/CN=server = kdc-secondary
2 entries loaded from the database
generating index
Successfully loaded extensions file extensions/extensions.client
message digest is sha256
policy is policy_match
next serial number is A74E735D6DABABB1
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=US, ST=na, O=domain.name, OU=krb5 client, CN=client =
my/principal
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:d7:49:94:44:ec:a7:b5:98:77:57:20:94:be:84:
...
9c:3c:45
Exponent: 65537 (0x10001)
Attributes:
a0:00
Signature Algorithm: sha256WithRSAEncryption
98:78:35:9b:a6:f1:77:67:37:e2:da:d1:7f:9c:b5:af:44:1e:
...
c5:c7:be:fc:b3:44:76:ed
Check that the request matches the signature
Signature ok
The subject name appears to be ok, checking data base for clashes
Everything appears to be ok, creating and signing the certificate
Extra configuration file found
Successfully added extensions from file.
Certificate Details:
Serial Number: 12055700097626516401 (0xa74e735d6dababb1)
Validity
Not Before: Jun 10 00:05:35 2014 GMT
Not After : Jun 12 00:00:00 2014 GMT
Subject:
countryName = US
stateOrProvinceName = na
organizationName = domain.name
organizationalUnitName = krb5 client
commonName = client = my/principal
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Key Encipherment, Key Agreement
X509v3 Extended Key Usage:
1.3.6.1.5.2.3.4
X509v3 Subject Key Identifier:
56:7D:8B:AB:D6:29:45:ED:74:08:ED:66:E3:DF:53:3D:77:68:30:4C
X509v3 Authority Key Identifier:
keyid:1C:D9:AC:3F:8F:7D:93:EA:78:F5:44:2E:F4:F0:02:7E:CD:B8:80:04
X509v3 Issuer Alternative Name:
<EMPTY>
X509v3 Subject Alternative Name:
othername:<unsupported>
Certificate is to be certified until Jun 12 00:00:00 2014 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
writing new certificates
writing ./newcerts/A74E735D6DABABB1.pem
Data Base Updated
hostname(root) 2 $
Script done on Mon 09 Jun 2014 08:05:42 PM EDT
Script started on Mon 09 Jun 2014 08:08:16 PM EDT
hostname(test) 1 $ ksh -xv /tmp/gigo.sh
head -2 certs/krb5.usr.my-principal.cert.pem
+ head -2 certs/krb5.usr.my-principal.cert.pem
-----BEGIN CERTIFICATE-----
MIIGFjCCA/6gAwIBAgIJAKdOc11tq6uxMA0GCSqGSIb3DQEBCwUAMGcxCzAJBgNV
openssl x509 -text -in certs/krb5.usr.my-principal.cert.pem
+ openssl x509 -text -in certs/krb5.usr.my-principal.cert.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 12055700097626516401 (0xa74e735d6dababb1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=na, O=domain.name, OU=krb5 ca,
CN=hostname.domain.name
Validity
Not Before: Jun 10 00:05:35 2014 GMT
Not After : Jun 12 00:00:00 2014 GMT
Subject: C=US, ST=na, O=domain.name, OU=krb5 client, CN=client =
my/principal
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:d7:49:94:44:ec:a7:b5:98:77:57:20:94:be:84:
...
9c:3c:45
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Key Encipherment, Key Agreement
X509v3 Extended Key Usage:
1.3.6.1.5.2.3.4
X509v3 Subject Key Identifier:
56:7D:8B:AB:D6:29:45:ED:74:08:ED:66:E3:DF:53:3D:77:68:30:4C
X509v3 Authority Key Identifier:
keyid:1C:D9:AC:3F:8F:7D:93:EA:78:F5:44:2E:F4:F0:02:7E:CD:B8:80:04
X509v3 Issuer Alternative Name:
<EMPTY>
X509v3 Subject Alternative Name:
othername:<unsupported>
Signature Algorithm: sha256WithRSAEncryption
53:a8:10:68:da:af:bb:81:e2:3d:03:12:ea:3f:8d:e2:bb:2c:
...
a9:cc:99:5f:8a:f4:71:98
-----BEGIN CERTIFICATE-----
MIIGFjCCA/6gAwIBAgIJAKdOc11tq6uxMA0GCSqGSIb3DQEBCwUAMGcxCzAJBgNV
...
Zuk88dF4XqfAUScJWobwK8wGqcyZX4r0cZg=
-----END CERTIFICATE-----
kdestroy -A
+ kdestroy -A
ls -la
+ ls -la
total 16
drwx------ 6 test test 4096 2014-06-09 20:06 .
drwx------ 5 test test 4096 2014-06-09 20:08 ..
drwx------ 2 test test 8 2014-06-09 20:06 certs
-rw------- 1 test test 0 2014-06-09 19:53 index.txt
drwx------ 2 test test 1 2014-06-09 19:53 newcerts
drwx------ 2 test test 8 2014-06-09 19:53 private
drwx------ 2 test test 8 2014-06-09 19:54 requests
lrwxrwxrwx 1 test test 36 2014-06-07 17:10 my-principal.crt ->
certs/krb5.usr.my-principal.cert.pem
lrwxrwxrwx 1 test test 24 2014-06-07 17:10 my-principal.key ->
private/krb5.usr.key.pem
head -2 my-principal.crt
+ head -2 my-principal.crt
-----BEGIN CERTIFICATE-----
MIIGFjCCA/6gAwIBAgIJAKdOc11tq6uxMA0GCSqGSIb3DQEBCwUAMGcxCzAJBgNV
head -2 my-principal.key
+ head -2 my-principal.key
-----BEGIN PRIVATE KEY-----
MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQDXSZRE7Ke1mHdX
grep pkinit /local/package/krb5/etc/krb5.frag.realms
+ grep pkinit /local/package/krb5/etc/krb5.frag.realms
pkinit_anchors = DIR:/local/package/krb5/ssl/certs.root
pkinit_pool = DIR:/local/package/krb5/ssl/certs.pool
pkinit_identities = ENV:KRB5_CLIENT_IDENTITIES
KRB5_TRACE=/dev/stdout \
KRB5_CLIENT_IDENTITIES="DIR:${HOME}/.krb5.id" \
kinit my/principal
+ kinit my/principal
+ KRB5_TRACE=/dev/stdout
+ KRB5_CLIENT_IDENTITIES=DIR:/home/test/.krb5.id
[7356] 1402358899.955271: Getting initial credentials for
my/principal at DOMAIN.NAME
[7356] 1402358899.960495: Sending request (186 bytes) to DOMAIN.NAME
[7356] 1402358899.960635: Resolving hostname kdc.domain.name
[7356] 1402358899.962071: Sending initial UDP request to dgram
1.2.3.5:88
[7356] 1402358899.962921: Received answer (265 bytes) from dgram
1.2.3.5:88
[7356] 1402358899.962989: Response was from master KDC
[7356] 1402358899.963049: Received error from KDC:
-1765328359/Additional pre-authentication required
[7356] 1402358899.963141: Processing preauth types: 16, 15, 14, 136,
147, 133
[7356] 1402358899.963160: Received cookie: MIT
[7356] 1402358899.963710: Preauth module pkinit (147) (info)
returned: 0/Success
[7356] 1402358899.965273: PKINIT client computed kdc-req-body
checksum 9/BC5BE76F44A39D5473B2F3797F5BC86B6A0CA49D
[7356] 1402358899.965309: PKINIT client making DH request
[7356] 1402358900.6446: Preauth module pkinit (16) (real) returned:
0/Success
[7356] 1402358900.6480: Produced preauth for next request: 133, 16
[7356] 1402358900.6530: Sending request (5241 bytes) to DOMAIN.NAME
[7356] 1402358900.6597: Resolving hostname kdc.domain.name
[7356] 1402358900.7917: Initiating TCP connection to stream 1.2.3.5:88
[7356] 1402358900.24085: Sending TCP request to stream 1.2.3.5:88
[7356] 1402358900.26388: Received answer (185 bytes) from stream
1.2.3.5:88
[7356] 1402358900.26468: Response was from master KDC
[7356] 1402358900.26501: Received error from KDC:
-1765328309/Client name mismatch
kinit: Client name mismatch while getting initial credentials
hostname(test) 2 $
Script done on Mon 09 Jun 2014 08:08:21 PM EDT
as before, the kdc reports in its /var/log/messages:
Jun 9 20:08:20 kdc krb5kdc[6259]: AS_REQ (2 etypes {18 26})
1.2.3.4: NEEDED_PREAUTH: my/principal at DOMAIN.NAME for
krbtgt/DOMAIN.NAME at DOMAIN.NAME, Additional pre-authentication
required
Jun 9 20:08:20 kdc krb5kdc[6259]: preauth (pkinit) verify
failure: Client name mismatch
Jun 9 20:08:20 kdc krb5kdc[6259]: AS_REQ (2 etypes {18 26})
1.2.3.4: PREAUTH_FAILED: my/principal at DOMAIN.NAME for
krbtgt/DOMAIN.NAME at DOMAIN.NAME, Client name mismatch
Jun 9 20:08:20 kdc krb5kdc[6259]: closing down fd 9
### end of logged data
--
http://www.fastmail.fm - Access your email from home and the web
More information about the Kerberos
mailing list