What Should I Push On?

[Henry B. Hotz]

I won't apologize for starting this thread, since I think the discussions have been very useful (if a bit off-topic sometimes).  Hope everyone else enjoyed them as much as I did.

In the end the only thing I would call an actual bug is that the pkinit client plug-in tries to validate the cert on the presented smart card.  That's the kdc's job, not the client's.  Perhaps there's a config option I don't understand which disables that?  It's not hard to work around.

The distribution's coolkey library seems to work fine (at least on a Scientific Linux system).  I don't doubt Doug Engert's investigation, but the platform probably has an effect.  In the SRPM, hunk 14 of coolkey-cac.patch is rejected, but you can figure out what it ought to be by looking at the "before" code in a later patch.  I'll be keeping Doug's patches around in case I run into a problem later.

The output to KRB5_TRACE is insufficient (for me anyway) to debug the configuration for the PKINIT plugin.  You need (at least some of) the stuff that would be output by the pkiDebug() function.  Building with CPPFLAGS=-DDEBUG does the job, but requires a few minor patches to build.  Since the needed patches seem to be the same on SL6 and MacOS 10.6, I'll submit those after I send this email.

I've been doing smart-card Kerberos for some time.  Now I've got all the i's dotted and t's crossed for a no-password realm that doesn't need custom client software on the core OSs used in some of our most critical infrastructure.  

Thanks guys!

On May 14, 2012, at 6:21 PM, Henry B. Hotz wrote:

> I've been holding off on adding to this thread until I could be more definitive, but here's a progress report:
> 
> First, the immediate cause of the memory allocation error was that I was feeding a .der file instead of .pem file to kerberos as an anchor.  Since that's documented, it qualifies as a user error.
> 
> Second, getting the "no anchors in file" error to print requires building a version with -DDEBUG, not merely setting KRB5_TRACE.  Doing that build (at least on MacOS 10.6) required 4-5 minor patches.
> 
> Third, "retrying with TCP" did not work (with a Heimdal 1.2 server anyway).  Forcing TCP to begin with was sufficient to get MIT kinit to work with a file-based X.509 credential.  This may not be MITs fault since Heimdal kinit degrades severely with UDP when scaling up the load to multiple client machines with multiple clients/machine.  Messages larger than a single UDP packet are probably a contributing factor, but I have not verified this.  Since forcing TCP might be a good idea anyway, it will be a while before I get back to this issue.
> 
> So, like I said, that gets things working with a file-based credential.
> 
> Fourth, as Doug said, there are multiple coolkey-1.1.0-19.el6.src.rpm's out there.  After some hunting, the one he posted the patch for is:
> 
> http://koji.thewebwillow.com/kojifiles/packages/coolkey/1.1.0/19.el6/src/coolkey-1.1.0-19.el6.src.rpm
> 
> The MD5 matches.  It contains a "coolkey-piv.patch" file.  And the source file he's patching actually matches up with his diff after you apply all the patches in the SRPM.  However I don't think this is a real "el6" SRPM.  As rank speculation, it might be based off of the coolkey fork on software.forge.mil.  I don't have access to that, and I don't know if I can get it either.
> 
> I will definitely be trying out that SRPM (and Doug's patch) as soon as I get a few other fires put out.
> 
> On May 14, 2012, at 1:31 PM, Dmitri Pal wrote:
> 
>> On 05/05/2012 01:58 PM, Henry B. Hotz wrote:
>>> Thanks for the info.  I may have issues to deal with after this one.  *sigh*
>>> 
>>> Since the specific problem shows with a PKCS12 credential as well, I'm thinking I should get a real RedHat 6.2 instance to test with first.
>>> 
>> 
>> Is there any way to get these cards to Red Hat for us to be able test
>> this issue?
>> If this is an option please contact me off list.
> 
> I already responded to Nathan Kinder off-list with a possible NASA contact.  NASA PIV cards are issued under a NASA CA which is under the US Treasury CA.  I know in the past they have provided test cards to Apple.  I don't think it was easy to make that happen, but seems in theory it ought to be possible for RedHat as well.  Not my department, unfortunately.

------------------------------------------------------
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu