Re: Using Smartcard with PK-INIT does not respond
- From: "Douglas E. Engert" <deengert@xxxxxxx>
- Date: Wed, 04 Mar 2009 09:48:09 -0600
Loren M. Lang wrote:
I am trying to enable smartcard logins to a MIT Kerberos domain using
the recent PK-INIT preauth plugin. I am using Ubuntu 8.10 with it's
stock Kerberos 1.6.4 packages except for pkinit.so recompiled with
-DDEBUG.
Be careful here. If you renamed the old pkinit.so and copied
the new one in to the same directory, they might both get loaded!
The plugin code loads all the files it finds irregardless of name.
I have a server certificate installed on the KDC with the
extended key usage id_pkinit_KPKdc and an appropriate subjectAltName.
There is one intermediate certificate between it and the root CA.
Client certificates were generated similarly only with the
id_pkinit_KPClientAuth key usage and have two intermediates between it
and the same root CA. The client certificates are installed on a smart
card using opensc and are also enabled for the clientAuth key usage for
SSL client authentication. I also have intermediate CAs and the root CA
installed on the smart card as well. Firefox is able to see the smart
card including all intermediates and root CAs and is able to use it to
authenticate against a SSL website. Running kinit with debugging output
I was able see that is was complaining that the smart card had four
matching certs. It did not filter out certificates missing the
appropriable key usages or missing subjectAltName, maybe that's typical.
I setup a pkinit_cert_match to filter out the other certificates and now
kinit reports finding exactly one match, but bails out later due to
missing intermediate certificates so I setup pkinit_pool to point
to /etc/ssl/certs with appropriate certificates. It did not seem to use
the intermediates already on the smart card, is this normal? Now kinit
was complaining about some broken symlinks that exist
under /etc/ssl/certs and it bails out. Shouldn't these just be ignored?
This symlinks point to missing certificates that have nothing to do with
the pki infrastructure I am using, but once I moved the symlinks out of
the way, kinit continued and finally sent out an AS-REQ with the PK-INIT
preauth data, but received no response. According to Wireshark,
following the initial AS-REQ with no preauth, the server responds with a
NEEDED_PREAUTH error listing six preauth types including PA-PK-AS-REQ
and PA-PK-AS-REP. The client then sends a single IP fragment response.
The fragment has a payload of 1480 bytes with flag more fragments, but
no further fragments are sent. I have no firewall rules installed and
am at a loss as to why there are no more fragments.
As Kevin said, try TCP.
udp_preference_limit = 1
will force use of TCP.
------------------------------------------------------------------------
________________________________________________
Kerberos mailing list Kerberos@xxxxxxx
https://mailman.mit.edu/mailman/listinfo/kerberos
--
Douglas E. Engert <DEEngert@xxxxxxx>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
.
- Prev by Date: Re: Using Smartcard with PK-INIT does not respond
- Next by Date: RE: Kerberos in Browser based Applications
- Previous by thread: Re: Using Smartcard with PK-INIT does not respond
- Next by thread: Re: Using Smartcard with PK-INIT does not respond
- Index(es):
Relevant Pages
|
