kinit pkinit question.

Matthew Andrews matt at slackers.net
Fri Feb 29 17:51:28 EST 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,

I am attempting to set up pkinit authentication with the kerberos 1.6.3
code, and havind trouble figuring out what is needed to get the kinit
client to use pkinit. I am running the following command:

/opt/krb-1.6.3/bin/kinit -X pkinit_identity=FILE:/tmp/x509up_u31675 -X
pkinit_anchors=FILE:/opt/krb-1.6.3/var/krb5kdc/ca_certs/29c870c0.0 ma3d

and see an as_req go out to the kdc without any pa_data, followed by an
as_req with a padata field of type PA-ENCTYPE-INFO2 at which point kinit
prompts my for ma3d's password. It seems that the client is not trying
to use pkinit preauth data, so I figure I'm missing something, but I
can't figure out exactly what.

I've built the pkinit preauth module with the DEBUG macro defined, and
see the folloing debug output.


pkinit_init_plg_crypto: initializing openssl crypto context at 0x9f78ec0
pkinit_client_plugin_init: returning plgctx at 0x9f70100
(pkinit) received 'pkinit_identity' = 'FILE:/tmp/x509up_u31675'
(pkinit) received 'pkinit_anchors' =
'FILE:/opt/krb-1.6.3/var/krb5kdc/ca_certs/29c870c0.0'
pkinit_init_req_crypto: returning ctx at 0x9f6ffe8
pkinit_init_identity_crypto: returning ctx at 0x9f7a0f0
pkinit_client_req_init: returning reqctx at 0x9f7a0a8
Password for ma3d at FSG.NERSC.GOV: ^C
pkinit_client_req_fini: received reqctx at 0x9f7a0a8
pkinit_fini_req_crypto: freeing   ctx at 0x9f6ffe8
pkinit_fini_identity_crypto: freeing   ctx at 0x9f7a0f0
kinit(v5): Password read interrupted while getting initial credentials
pkinit_client_plugin_fini: got plgctx at 0x9f70100
pkinit_fini_plg_crypto: freeing context at 0x9f78ec0


Is there something obvious I'm missing here? If not, are there more
informative debug messages that I can turn on beyond what is enabled
just by defining DEBUG?

by the way, how do most people define the DEBUG macro? adding it to
CPPFLAGS via the top level configure invocation seems to break the build
for me so I just stuck it into pkinit.h

- -Matt Andrews
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFHyIxwpLF3UzlwZVgRAuZqAKDf0SKuJnnJzq+/O5jLIuNQPq6WsgCglNS0
gvq2e6NHSfnxxUJlL6RJidw=
=WQE0
-----END PGP SIGNATURE-----

More information about the krbdev mailing list