I am trying to enable smartcard logins to a MIT Kerberos domain using the recent PK-INIT preauth plugin. I am using Ubuntu 8.10 with it's stock Kerberos 1.6.4 packages except for pkinit.so recompiled with -DDEBUG. I have a server certificate installed on the KDC with the extended key usage id_pkinit_KPKdc and an appropriate subjectAltName. There is one intermediate certificate between it and the root CA. Client certificates were generated similarly only with the id_pkinit_KPClientAuth key usage and have two intermediates between it and the same root CA. The client certificates are installed on a smart card using opensc and are also enabled for the clientAuth key usage for SSL client authentication. I also have intermediate CAs and the root CA installed on the smart card as well. Firefox is able to see the smart card including all intermediates and root CAs and is able to use it to authenticate against a SSL website. Running kinit with debugging output I was able see that is was complaining that the smart card had four matching certs. It did not filter out certificates missing the appropriable key usages or missing subjectAltName, maybe that's typical. I setup a pkinit_cert_match to filter out the other certificates and now kinit reports finding exactly one match, but bails out later due to missing intermediate certificates so I setup pkinit_pool to point to /etc/ssl/certs with appropriate certificates. It did not seem to use the intermediates already on the smart card, is this normal? Now kinit was complaining about some broken symlinks that exist under /etc/ssl/certs and it bails out. Shouldn't these just be ignored? This symlinks point to missing certificates that have nothing to do with the pki infrastructure I am using, but once I moved the symlinks out of the way, kinit continued and finally sent out an AS-REQ with the PK-INIT preauth data, but received no response. According to Wireshark, following the initial AS-REQ with no preauth, the server responds with a NEEDED_PREAUTH error listing six preauth types including PA-PK-AS-REQ and PA-PK-AS-REP. The client then sends a single IP fragment response. The fragment has a payload of 1480 bytes with flag more fragments, but no further fragments are sent. I have no firewall rules installed and am at a loss as to why there are no more fragments.
-- Loren M. Lang [email protected] http://www.north-winds.org/ Public Key: ftp://ftp.north-winds.org/pub/lorenl_pubkey.asc Fingerprint: 10A0 7AE2 DAF5 4780 888A 3FA4 DCEE BB39 7654 DE5B
signature.asc
Description: This is a digitally signed message part
________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
