krb5-1.8-alpha1 is available

Douglas E. Engert deengert at anl.gov
Mon Jan 18 14:56:16 EST 2010 


Tom Yu wrote:
> "Douglas E. Engert" <deengert at anl.gov> writes:
> 
>> Tom Yu wrote:
> 
>> With using pam_krb5-4.0, pam-afs-session-1.7, opensc-0.11.12,
>> OpenSSL-0.9.8i and pcsc-lite-1.5.5, I can use PKINIT with smart card
>> to W2008 DCs.
> 
> This is excellent news.  How complicated is the configuration to set
> up?


Ubuntu 9.10 comes with krb5-pkinit-1.7dfsg~beta3-1ubuntu0.3,
libpam-krb5-3.15-1, opensc-0.11.8-1ubuntu1, libpcsclite1-1.5.3-1ubuntu1,
libccid-1.3.10-1 and uses the same conf files as krb5-1.8. So its all there
accept for the krb5.conf and CA certs.

A sanitized krb5.conf is attached.

   Our KDCs are Windows 2008 DCs. Note: the pkinit_kdc_hostname
   entries are case sensitive, and for some reason one of the KDCs
   used lowercase for the host name, while the others uses an uppercase
   hostname. Check with you AD or network trace.

   All our certs (including the HSPD-12 PIV certs) have the MS smart card login
   ExtendedKeyUsage, as well as the SubjectAltname:OtherName:msUPN,
   so pkinit_cert_match = <EKU>msScLogin is used.
   For PIV cards issued by OMB, the msUPN has something like:
   123456789 at FEDIDCARD.GOV The AD admin sets the UserPrincipalName attribute
   in the user's AD account. A user and password can still be used, as AD will
   look for the UPN or a principal derived from the SamAccountName and Domain name.

   The KDC certs are signed by the domain enterprise CA, which has two levels
   pkinit_anchors = DIR:/opt/smartcard/trusted.certdir contains   the rootCA cert,
   and the OpenSSL subject_hash.N link to it.   The /opt/smartcard/pool.certdir
   contains the intermediate CA cert and subject_hash.N link to it.


   The [appdefaults] pam section has:
   pkinit_user = PKCS11:module_name=/opt/smartcard/lib/opensc-pkcs11.so
   (On Ubuntu it also has try_pkinit = 1  and pkinit_prompt = true)


On the Solaris system, all this is still test. krb5-1.8 was built with --prefix=/krb5m,
and the OpenSC with --prefix=/opt/smartcard. /etc/krb5.conf is modified for pkinit.
(The /etc/krb5/krb5.conf is used by the Solaris krb5. So I can use either their
Kerberos or the /krb5m test version. )

The same version of OpenSSL was used for both OpenSC and krb5.
This was located in /opt/smartcard:

      OPENSSL_LIBS=-L/opt/smartcard/lib -R/opt/smartcard/lib
      LDFLAGS=-g -L/opt/smartcard/lib -R/opt/smartcard/lib
      CPPFLAGS= -I/opt/smartcard/include
      export OPENSSL_LIBS LDFLAGS CPPFLAGS
      ../src/configure --enable-shared --enable-kdc-replay-cache --prefix=/krb5m

OpenSC and pcsclite and ccid were built with with similar options with
--prefix=/opt/smartcard and -R/opt/smartcard/lib:/usr/sfw/lib. pcsclite uses
libusb from /usr/sfw/lib.

pcscd is then started from /etc/init.d/pcscd or /opt/smartcard/sbin/pcscd

The opensc.conf did not require any changes, but that depends on what
cards you might be using.

The Solaris pam.conf has for gdm:

#DEE smartcard failed, so skip it for now
#dtlogin    auth requisite      pam_smartcard.so.1
dtlogin     auth requisite      pam_authtok_get.so.1
dtlogin     auth required       pam_dhkeys.so.1
dtlogin     auth required       pam_unix_cred.so.1
dtlogin     auth optional       /krb5m/lib/security/pam_krb5.so debug try_pkinit try_first_pass minimum_uid=100
dtlogin     auth required       /krb5m/lib/security/pam_afs_session.so debug
# allows password login  (for root)
dtlogin     auth optional       pam_unix_auth.so.1
#
# For testing with /krb5m need account and session too:
dtlogin account requisite   pam_roles.so.1
dtlogin account required pam_unix_account.so.1
dtlogin account optional /krb5m/lib/security/pam_krb5.so debug minimum_uid=100
dtlogin session required    pam_unix_session.so.1
dtlogin session optional /krb5m/lib/security/pam_krb5.so debug minimum_uid=100

Russ's pam_krb5 is used, and it will prompt for a user, then a password
at this point "if a singe space" is entered for the password, it will not be
used and a prompt for the PIN of the card will be presented.

So the user would insert the card before typing anything, then answer the
login or screen unlock prompts.



Additionally on Ubuntu, there is a missing symlink needed by OpenSC to pcsclite:
cd /usr/lib
ln -s /lib/libpcsclite.so.1 libpcsclite.so
ln -s /lib/libpcsclite.so.1 libpcsclite.so.1

So its messy to setup on Solaris for testing, but the Ubuntu setup is rather
easy if using the existing packages.

Sun is coming up with their own pam_krb5 that will work differently.

> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: krb5.conf.pkinit.sample
Url: http://mailman.mit.edu/pipermail/krbdev/attachments/20100118/302c9b06/attachment.bat

More information about the krbdev mailing list