What Should I Push On?

Henry B. Hotz hotz at jpl.nasa.gov
Thu May 3 20:52:58 EDT 2012 

I'm trying the native pkinit support in Scientific Linux 6.2 (a RHEL clone).  If I'm reading the release notes correctly, this is the first version which has native support for PIV cards in addition to PKINIT.  The reported version of Kerberos is (64-bit) 1.9-22.el6_2.1 which may or may not correspond to anything useful besides the 1.9.

It fails in a way which suggests to me it may be an installation problem, or, well, read for yourself. . .  I also tried a pkcs12-file based identity with identical pkinit module errors.

[sl6hotz hotz]# kinit -X X509_user_identity=PKCS11:/usr/lib64/pkcs11/libcoolkeypk11.so hotz at SC.JPL.NASA.GOV
[5571] 1336088305.990939: Getting initial credentials for hotz at SC.JPL.NASA.GOV
[5571] 1336088305.991782: Sending request (204 bytes) to SC.JPL.NASA.GOV
[5571] 1336088305.997779: Sending initial UDP request to dgram 137.78.160.41:88
[5571] 1336088306.6208: Received answer from dgram 137.78.160.41:88
[5571] 1336088306.8698: Response was from master KDC
[5571] 1336088306.8741: Received error from KDC: -1765328359/Additional pre-authentication required
[5571] 1336088306.8794: Processing preauth types: 16, 15, 2, 19
[5571] 1336088306.8828: Selected etype info: etype aes256-cts, salt "SC.JPL.NASA.GOVhotz", params "
CoolKey PIN: 
[5571] 1336088310.707006: Preauth module pkinit (16) (flags=1) returned: 12/Cannot allocate memory
[5571] 1336088310.708361: Preauth module pkinit (15) (flags=1) returned: 12/Cannot allocate memory

[[So it never even tries PKINIT on the wire.]]

Password for hotz at SC.JPL.NASA.GOV: 
[5571] 1336088311.590915: AS key obtained for encrypted timestamp: aes256-cts/389B
[5571] 1336088311.591080: Encrypted timestamp (for 1336088311.590930): plain 301AA011180F32303132303530333233333833315AA1050203090452, encrypted AC5B0BA9D9B9DE6E16010410B61DFDE439B6678C504EB39CB0665778D82A7781A77FEEB54E819A736B9DA7F141C29E9B8CC796D840666250
[5571] 1336088311.591105: Produced preauth for next request: 2
[5571] 1336088311.591137: Sending request (284 bytes) to SC.JPL.NASA.GOV (master)
[5571] 1336088311.594765: Sending initial UDP request to dgram 137.78.160.41:88
[5571] 1336088311.600287: Received answer from dgram 137.78.160.41:88
[5571] 1336088311.600315: Received error from KDC: -1765328360/Preauthentication failed
kinit: Preauthentication failed while getting initial credentials

------------------------------------------------------
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu

More information about the krbdev mailing list