Does KfW 4.0.1 has support for PKINIT?

Kenny Dinh kdinh at peaxy.net
Thu Oct 8 18:23:42 EDT 2015 

Greeting,

I am trying to use PKINIT to authenticate a principal using KfW version
4.0.1.  I have a client certificate, a plain text format of the private,
and a directory containing self signed certificate of my local CA.

On a CentOS machine, I executed the following command,

kinit -V -r 7d -l 24h -c my_krb5cc -X
X509_user_identity=FILE:/path/to/client/cert.pem,/path/to/client/plaintext/private.key
-X X509_anchors=DIR:/path/to/dir/CA/certs <my client id>

"kinit -V  -r 7d -l 24h -c kenny_krb5cc -X
X509_user_identity=FILE:/pki/client.pem,/pki/private/client.key -X
X509_anchors=DIR:/pki/anchors clt-12345"

That works correctly and I was able to authenticate with my KDC.

I tried to use the same command on Windows as follow:

"kinit -V -r 7d -l 24h -c kenny_krb5cc -X
X509_user_identity=FILE:C:\ProgramData\testapp\pki\client.pem,c:\ProgramData\testapp\pki\private\client.key
-X X509_anchors=DIR:C:\ProgramData\testapp\pki\anchors clt-12345"

However, kinit.exe did not present the client certificate to the KDC, and
it prompted me for a password.  Following is the KRB5_TRACE output.


[1068] 1444338417.246001: Getting initial credentials for
clt-12345 at TESTKDC.LOCAL
[1068] 1444338417.246002: Sending request (224 bytes) to TESTKDC.LOCAL
[1068] 1444338417.246003: Resolving hostname 172.16.145.8
[1068] 1444338417.246004: Sending initial UDP request to dgram
172.16.145.8:88
[1068] 1444338417.496000: Received answer from dgram 172.16.145.8:88
[1068] 1444338417.496001: Response was not from master KDC
[1068] 1444338417.496002: Received error from KDC: -1765328359/Additional
pre-authentication required
[1068] 1444338417.496003: Processing preauth types: 16, 15, 14, 136, 19,
147, 2, 133
[1068] 1444338417.496004: Selected etype info: etype aes256-cts, salt
"TESTKDC.LOCALclt-12345", params ""
[1068] 1444338417.496005: Received cookie: MIT


I'm looking through the code of KfW but have not been able to make a
concrete determination of the error.  I am getting the impression the
PKINIT is not supported in KfW so I want to confirm before spending too
much time looking at the code.  The code for PKINIT seems to be there in
KfW source, but I'm not 100% sure.

If PKINIT is not supported in KfW version 4.0.1, then does anyone know if
there is any planning of adding support for it?

Any pointer is appreciated.

Thank you,
~Kenny

More information about the kfwdev mailing list