pam_krb5 with PKINIT from Heimdal and MIT
Douglas E. Engert
deengert at anl.gov
Fri Oct 6 12:44:15 EDT 2006
So while waiting for the pam_krb5-2.4 source to show up on
http://www.eyrie.org, I am attaching the Heimdal pkinit mods for
pam-krb5-2.3 as a point of discussion. I would hope the MIT
and CITI people would comment on their pkinit API.
I have this running on Ubuntu Edgy, with opensc-0.11.1 using the
Heimdal 20061002 snapshot. I am using a PIV smart card with a Windows
compatible cert, and W2k3 as the KDC.
o the pam_krb5 is the one place the Heimdal and MIT pkinit APIs come
in contact. I have not seen what the CITI people have proposed. Depending
on commonality of the APIs, parts of this code may need to be moved
o The code depends on the hx509_err.h, as it tests for two error codes.
i.e. no card readers found and no card in any reader. I sent a bug report
to the Heimdal list on this today, suggesting that these should be KRB5_
error codes and should be in the MIT code as well.
o Three new pam options are added:
use_pkinit - only do pkinit authentication, don't do password
try_pkinit - try for pkinit, and if no card or reader, try password.
pk_user= - the pk_user parameter as passed to the pkinit code.
for example: pk_user=PKCS11:/usr/lib/opensc-pkcs11.so
With a smart card this is always the same.
o The thinking is if the user puts in a smart card, try and use it.
If no card is present use passwords as before. If they put in a card
and it fails, don't fall back to password, make them take the card
o The user is expected to type in a username to PAM, unlike Windows
that expects the UPN to be in the certificate. Future certificates
should not be expected to contain realm specific information.
o I chose to copy the pamk5_password_auth routine and rename it
pamk5_pkinit_auth, and cut out what was not needed. There is a lot
of duplicate code between the two. This was the easy way, as
I have not seen the MIT pkinit API.
o The Heimdal code uses the krb5_get_init_creds_opt_alloc to
allocate the opts structure, rather then having the structure
defined on the stack. In any case the same opts can not be used
for pkinit and if it fails for password. A separately initialized
opts structure in needed.
o Since the Heimdal default it to compile in pkinit, or at least
a stub for it, this pkinit code can be compiled into pam_krb5
by default. I would hope the MIT code would do something similar.
o To compile pam_krb5-2.3 with this patch, you also need the mods I
sent in as a bug yesterday #391276, that you have fixed in 2.4.
> Matthijs, provided that I didn't mess something up again, this should fix
> the compilation problems with Heimdal, including the couple of warnings
> that were showing up in the buildd logs.
> BTw, Bug#269457 against libpam-heimdal was also fixed in pam-krb5 2.0.
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
More information about the krbdev