krb5-1.8-alpha1 is available
Douglas E. Engert
deengert at anl.gov
Mon Jan 18 14:56:16 EST 2010
Tom Yu wrote:
> "Douglas E. Engert" <deengert at anl.gov> writes:
>> Tom Yu wrote:
>> With using pam_krb5-4.0, pam-afs-session-1.7, opensc-0.11.12,
>> OpenSSL-0.9.8i and pcsc-lite-1.5.5, I can use PKINIT with smart card
>> to W2008 DCs.
> This is excellent news. How complicated is the configuration to set
Ubuntu 9.10 comes with krb5-pkinit-1.7dfsg~beta3-1ubuntu0.3,
libpam-krb5-3.15-1, opensc-0.11.8-1ubuntu1, libpcsclite1-1.5.3-1ubuntu1,
libccid-1.3.10-1 and uses the same conf files as krb5-1.8. So its all there
accept for the krb5.conf and CA certs.
A sanitized krb5.conf is attached.
Our KDCs are Windows 2008 DCs. Note: the pkinit_kdc_hostname
entries are case sensitive, and for some reason one of the KDCs
used lowercase for the host name, while the others uses an uppercase
hostname. Check with you AD or network trace.
All our certs (including the HSPD-12 PIV certs) have the MS smart card login
ExtendedKeyUsage, as well as the SubjectAltname:OtherName:msUPN,
so pkinit_cert_match = <EKU>msScLogin is used.
For PIV cards issued by OMB, the msUPN has something like:
123456789 at FEDIDCARD.GOV The AD admin sets the UserPrincipalName attribute
in the user's AD account. A user and password can still be used, as AD will
look for the UPN or a principal derived from the SamAccountName and Domain name.
The KDC certs are signed by the domain enterprise CA, which has two levels
pkinit_anchors = DIR:/opt/smartcard/trusted.certdir contains the rootCA cert,
and the OpenSSL subject_hash.N link to it. The /opt/smartcard/pool.certdir
contains the intermediate CA cert and subject_hash.N link to it.
The [appdefaults] pam section has:
pkinit_user = PKCS11:module_name=/opt/smartcard/lib/opensc-pkcs11.so
(On Ubuntu it also has try_pkinit = 1 and pkinit_prompt = true)
On the Solaris system, all this is still test. krb5-1.8 was built with --prefix=/krb5m,
and the OpenSC with --prefix=/opt/smartcard. /etc/krb5.conf is modified for pkinit.
(The /etc/krb5/krb5.conf is used by the Solaris krb5. So I can use either their
Kerberos or the /krb5m test version. )
The same version of OpenSSL was used for both OpenSC and krb5.
This was located in /opt/smartcard:
LDFLAGS=-g -L/opt/smartcard/lib -R/opt/smartcard/lib
export OPENSSL_LIBS LDFLAGS CPPFLAGS
../src/configure --enable-shared --enable-kdc-replay-cache --prefix=/krb5m
OpenSC and pcsclite and ccid were built with with similar options with
--prefix=/opt/smartcard and -R/opt/smartcard/lib:/usr/sfw/lib. pcsclite uses
libusb from /usr/sfw/lib.
pcscd is then started from /etc/init.d/pcscd or /opt/smartcard/sbin/pcscd
The opensc.conf did not require any changes, but that depends on what
cards you might be using.
The Solaris pam.conf has for gdm:
#DEE smartcard failed, so skip it for now
#dtlogin auth requisite pam_smartcard.so.1
dtlogin auth requisite pam_authtok_get.so.1
dtlogin auth required pam_dhkeys.so.1
dtlogin auth required pam_unix_cred.so.1
dtlogin auth optional /krb5m/lib/security/pam_krb5.so debug try_pkinit try_first_pass minimum_uid=100
dtlogin auth required /krb5m/lib/security/pam_afs_session.so debug
# allows password login (for root)
dtlogin auth optional pam_unix_auth.so.1
# For testing with /krb5m need account and session too:
dtlogin account requisite pam_roles.so.1
dtlogin account required pam_unix_account.so.1
dtlogin account optional /krb5m/lib/security/pam_krb5.so debug minimum_uid=100
dtlogin session required pam_unix_session.so.1
dtlogin session optional /krb5m/lib/security/pam_krb5.so debug minimum_uid=100
Russ's pam_krb5 is used, and it will prompt for a user, then a password
at this point "if a singe space" is entered for the password, it will not be
used and a prompt for the PIN of the card will be presented.
So the user would insert the card before typing anything, then answer the
login or screen unlock prompts.
Additionally on Ubuntu, there is a missing symlink needed by OpenSC to pcsclite:
ln -s /lib/libpcsclite.so.1 libpcsclite.so
ln -s /lib/libpcsclite.so.1 libpcsclite.so.1
So its messy to setup on Solaris for testing, but the Ubuntu setup is rather
easy if using the existing packages.
Sun is coming up with their own pam_krb5 that will work differently.
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
More information about the krbdev