Add preauth questions to kerberos responder context

Dorian Duc dodo040 at hotmail.fr
Mon Jan 16 05:10:36 EST 2017


I succeeded at the end. The problem was that a previous PKCS11 session was
not closed before the PKINIT process tried to open a new one.

103: C_Initialize
2017-01-12 17:46:43.597
[in] pInitArgs = (nil)
Returned:  401 CKR_CRYPTOKI_ALREADY_INITIALIZED
C_Initialize: cryptoki already initialized
can't open pkcs11 session

104: C_Finalize
2017-01-12 17:46:43.598
Returned:  0 CKR_OK
pkinit_client_prep_questions: no questions to ask
pkinit_client_prep_questions returning 0
pkinit_client_prep_questions: no questions to ask
pkinit_client_prep_questions returning 0

questions_to_answer=password
pkinit_client_process 0x7fffe409f1f0 0x7fffe409f7b0 0x7fffe40a1e70
0x7fffe40a1c20
processing KRB5_PADATA_PK_AS_REQ
pkinit_client_profile 0x7fffe409f1f0 0x7fffe409f7b0 0x7fffe40a1e70
0x7fffe40a2538
pkinit_identity_prompt: 0x7fffe409f1f0 0x7fffe40a23f0 0x7fffe40a2290



If all the previous opened sessions are well closed and the KDC is
configured to ask the client for a PKINIT preauthentication, we should get
the following result :

111: C_CloseSession
2017-01-12 18:05:04.655
[in] hSession = 0xbabfcb7f
Returned:  0 CKR_OK

112: C_Finalize
2017-01-12 18:05:04.655
Returned:  0 CKR_OK
pkinit_client_prep_questions: asking question
'{"PKCS11:module_name=/usr/local/lib/pkcs11-spy.so:slotid=1:token=CCC":0}'
pkinit_client_prep_questions returning 0
pkinit_client_prep_questions: asking question
'{"PKCS11:module_name=/usr/local/lib/pkcs11-spy.so:slotid=1:token=CCC":0}'
pkinit_client_prep_questions returning 0

questions_to_answer=pkinit
pkinit_client_process 0x7fffe4096090 0x7fffe4066cc0 0x7fffe4089760
0x7fffe40897f0
processing KRB5_PADATA_PK_AS_REQ
pkinit_client_profile 0x7fffe4096090 0x7fffe4066cc0 0x7fffe4089760
0x7fffe4089f38
pkinit_identity_prompt: 0x7fffe4096090 0x7fffe4089df0 0x7fffe4089c70


Dorian Duc wrote
> Hello,
> 
> 
> I want to use "pkinit" preauth question to authenticate with kerberos.
> 
> 
> But I'm unable to answer "pkinit" question because it's not available in
> the list of questions returned by krb5_responder_list_questions(). Only
> "password" is proposed.
> 
> 
> How can I add "pkinit" or even "otp" in the list of preauth questions ?
> 
> 
> Thank you
> ________________________________________________
> Kerberos mailing list           

> Kerberos@

> https://mailman.mit.edu/mailman/listinfo/kerberos





--
View this message in context: http://kerberos.996246.n3.nabble.com/Add-preauth-questions-to-kerberos-responder-context-tp46464p46574.html
Sent from the Kerberos - General mailing list archive at Nabble.com.


More information about the Kerberos mailing list