Fwd: Queries for Kerb Auth using Certificates and KCD for linux Reverse Proxy

Amit Thukral amit.thukral403 at gmail.com
Tue Sep 1 12:18:10 EDT 2015 

Hi Russ,

Thanks for your response.
yes, your understanding was right.
I need to do this on reverse proxy. I have a certificate private key
uploaded onto to the product (assuming this is required if this is to be
achieved) and am already doing:
    krb5_get_init_creds_opt_set_pa(c, opts, "X509_user_identity", user);
    krb5_get_init_creds_opt_set_pa(c, opts, "X509_anchors", anchors);

Moreover, this has worked with linux KDC (somehow have lost that setup).
Am facing issue with windows KDC.
But am still getting that error that was described in my last mail.

Rgds,
Amit







On Tue, Sep 1, 2015 at 9:02 PM, Russ Allbery <eagle at eyrie.org> wrote:

> Amit Thukral <amit.thukral403 at gmail.com> writes:
>
> > I am trying to implement kerberos authentication between clients and
> > windows KDC using certificates.
>
> > The product on which this needs to be implemented is a linux based
> > reverse proxy.
>
> > We have already integrated a MIT Kerberos libraries with it and are able
> > to authenticate clients with Windows KDC.  i.e. we are able to get TGT
> > on behalf the client (by setting forwardable flag for AS Req), pass it
> > back to the browser (client) and thus client authenticates using that
> > ticket with servers protected behind our product.  But for this as, as
> > of now, when a user trying to access a service protected behind our
> > product, we prompt him with login form where he enters his credentials,
> > using which we call krb5_get_init_creds_password api to send AS REQ and
> > get TGT.
>
> > Now, we want to achieve this using certificates.
>
> If I'm understanding your problem description correctly, I'm not sure this
> is possible.  To get Kerberos tickets from a certificate (aka PKINIT), the
> client that has access to the certificate private key needs to do this
> directly.  An intermediate cannot do this, since it doesn't have access to
> the certificate private key.  So if you're trying to get the Linux reverse
> proxy to do the authentication on behalf of the user, that isn't going to
> work.
>
> Anyway, assuming I'm wrong and you're actually doing the authentication in
> the client, the short version is that you should call these two functions:
>
>     krb5_get_init_creds_opt_set_pa(c, opts, "X509_user_identity", user);
>     krb5_get_init_creds_opt_set_pa(c, opts, "X509_anchors", anchors);
>
> with an appropriate value for X509_user_identity and X509_pkinit_anchors,
> respectively, and then do your krb5_get_init_creds_password call as normal
> with a NULL password.  If the KDC offers PKINIT, the Kerberos libraries
> should try PKINIT with the identity and anchors configured there.
>
> --
> Russ Allbery (eagle at eyrie.org)              <http://www.eyrie.org/~eagle/>
>

More information about the Kerberos mailing list