Also - I use activclient smartcard readers and they are acceptable for linux systems without any issue.
On Saturday, March 9, 2013 12:48:23 PM UTC-5, [email protected] wrote: > Hello Douglas, > > > > Thank you for your reply. It gives me a hope to solve the ongoing issue. > > > > Please let me give an explanation of the environment that i am trying to use > smart cards. > > > > I would like to use both Linux(centos) and Windows as client machines > > > > However, only Linux( centos) is used as our server operating systems. Centos > is a Red hat linux variant. > > > > I already have a full configured working setup of : OpenLDAP, GSSAPI, and > Kerberos setup as the User authorization and authentication mechanism with > windows and linux clients. > > OpenLDAP repository is used as a principal database for Kerberos, so > OpenLDAP(389-directory server) is used for authorization and Kerberos is used > for authentication. > > > > Users can login using password kerberos authentication with ssh and they will > receive kerberos tickets with the current configuration. > > > > However, i would like to get rid of passwords and use PIV card pkinit > authentication with kerberos instead of using passwords. > > > > I understand that AD and windows have a good implementation of pkinit but i > do want to use AD for KDC or for directory service. > > > > > > I have tried configuring KDC and clients with pkinit for client console login. > > > > I would just want the users to get kerberos tickets when they login to Linux > client console. > > > > Initially - I have tried PAM authentication for smartcard and I was > successful in using Smartcard CA for login using my smart card pin. So i can > login using smartcard to all linux machines. However i also would want to get > kerberos tickets once i login. > > > > This is where PAM_krb5 and krb5.conf comes into the picture, and i have > configured those too with respect to the pkinit configuration. > > > > Now when i try to login ( after PAM is configured to use kerberos), i do get > a prompt for entering my pin , but after i enter my pin - Kerberos still > cannot authenticate me, with logs mentioning that : > > > > " Decrypt integrity check failed " > > > > I have searched the forums, and i understand that the above log message means > that, KDC is not able to decrypt either because the password is wrong or it > doesnt support the encryption used. > > > > I am confused that, if PAM authentication can decrypt and allow me to login > using the SMART card CA . Why is that KDC is not able to decrypt. > > > > I could be that i did not configure the krb5.conf accurately. > > > > If i can use kinit to initiate pkinit with smart card, i would then able to > debug if this issue is related to kerberos only or pam and kerberos. > > > > Please do help me with the respective kerberos configuration for smartcard. > > > > MY smartcard info is as below : > > > > Model : ID-One Cosmo 64 v5.2D Fast ATR with PIV application SDK > > > > I do not know the code used inside the smartcard. > > > > its uses signature algorithm: sha256rsa > > > > > > Also please do find my comments as below . > > > > Thank you for your help, and I would be happy to hear from you. > > > > Regards, > > > > Lohit > > > > > > > > On Tuesday, February 26, 2013 5:45:24 PM UTC-5, Douglas E. Engert wrote: > > > On 2/26/2013 3:39 PM, Lohit Valleru wrote: > > > > > > > Dear Community, > > > > > > > > > > > > > > I assume, i have mailed to the right community list for these kind of > > > > > > > questions. If i have mailed to the wrong location - may i please ask for > > > > > > > the respective mailing address. > > > > > > > > > > > > > > I am a system administrator for a high performance cluster, and I am > > > > > > > thinking of setting up a smartcard authentication with kerberos. > > > > > > > > > > > > > > I have already completed kerberos authentication implementation for users > > > > > > > of the cluster,through kinit and gssapi. > > > > > > > > > > > > > > These are the steps that i have followed to setup pkinit with smartcard. > > > > > > > > > > > > > > 1. I have created a CA to issue the CA certificates, CAkey and use those > > > to > > > > > > > create the KDC certificates and Client certificaties as mentioned in the > > > > > > > below link . > > > > > > > > > > > > > > http://web.mit.edu/kerberos/krb5-current/doc/admin/pkinit.html > > > > > > > > > > > > > > 2. However, in order to use smartcard along with PAM and kerberos > > > > > > > authentication - i need to use the CAs given by our organization for the > > > > > > > smart card, for which we do not have the CA key. > > > > > > > > > > > > Your organization's CA can sign a certificate request created by the > > > > > > key on the card or by the KDC. The signed request then becomes the > > certificate. > > > > > > signed by the CA. You as the Kerberos admin don't need the CA's key. > > > > > > I had asked the above question, assuming if we have to use the SMART card CA > to create the KDC certificate, for which i would have to send the KDC > certificate request to the organization's CA. However I would like to keep a > separate CA for the KDC, and since we can use different CA's - that solves > the above issue. > > > > > > > > > > > > > > > > > > > > > > > > My question is : If we have to use the same CA for KDC, Client and > > > > > > > Smartcard certificates? or if we could mention 2 different CA's to KDC for > > > > > > > KDC,Client certificates and Smartcard certicate? > > > > > > > > > > > > You can use different CAs. The client will need a copy of the CA certificate > > > > > > that signed the KDC's certificate. The KDC needs a copy of the CA > > certificate > > > > > > used to sign the smart card certificate. (simplest case.) > > > > > > > I do have the CA used to create the KDC, and also the CA used for the > certificate on the SMART/PIV card. I have also configured KDC to use both > CA's under a directory. However, KDC still gives me the error : " Decrypt > Integrity check failed". > > > > > > > > > > > > > > > > > > > > In that way, It would be helpful - If KDC could use a self-generated CA > > > > > > > certificate for the KDC and Client certificate, while it will use the > > > > > > > Smartcard CA certificate for user login authentication with smart card. > > > > > > > > > > > > > > Also, may i know how we kinit using smartcard - in order to debug if the > > > > > > > issue is with PAM login attempt or kerberos authentication. > > > > > > > > > > > > > > I would be happy to hear from you. > > > > > > > > > > > > FYI, Windows AD 2003 and above can be used as a KDC and it can do PKINIT. > > > > > > Windows 7 and above come come with all the software needed if you are > > > > > > using certain types of smart cards (HSPD-12 PIV) cards for example. > > > > > > > > > > > > Linux and Macs with Kerberos and PKINIT can use AD as the KDC. > > > > > > > > > > > > We use some smart cards with certificates signed by our windows > > > > > > enterprise CA, as well as government issued cards to login to Windows > > > > > > or Unix. > > > > > > > > > > > > What cards are you using? > > > > > > What code to manager the cards? > > > > > > What code to the cards? > > > > > > What card readers? > > > > > > > > > > > > > > > > > > > > > > > > > > Thank you > > > > > > > > > > > > > > Lohit > > > > > > > ________________________________________________ > > > > > > > Kerberos mailing list [email protected] > > > > > > > https://mailman.mit.edu/mailman/listinfo/kerberos > > > > > > > > > > > > > > > > > > > -- > > > > > > > > > > > > Douglas E. Engert > > > > > > Argonne National Laboratory > > > > > > 9700 South Cass Avenue > > > > > > Argonne, Illinois 60439 > > > > > > (630) 252-5444 > > > > > > > > On Tuesday, February 26, 2013 5:45:24 PM UTC-5, Douglas E. Engert wrote: > > > On 2/26/2013 3:39 PM, Lohit Valleru wrote: > > > > > > > Dear Community, > > > > > > > > > > > > > > I assume, i have mailed to the right community list for these kind of > > > > > > > questions. If i have mailed to the wrong location - may i please ask for > > > > > > > the respective mailing address. > > > > > > > > > > > > > > I am a system administrator for a high performance cluster, and I am > > > > > > > thinking of setting up a smartcard authentication with kerberos. > > > > > > > > > > > > > > I have already completed kerberos authentication implementation for users > > > > > > > of the cluster,through kinit and gssapi. > > > > > > > > > > > > > > These are the steps that i have followed to setup pkinit with smartcard. > > > > > > > > > > > > > > 1. I have created a CA to issue the CA certificates, CAkey and use those > > > to > > > > > > > create the KDC certificates and Client certificaties as mentioned in the > > > > > > > below link . > > > > > > > > > > > > > > http://web.mit.edu/kerberos/krb5-current/doc/admin/pkinit.html > > > > > > > > > > > > > > 2. However, in order to use smartcard along with PAM and kerberos > > > > > > > authentication - i need to use the CAs given by our organization for the > > > > > > > smart card, for which we do not have the CA key. > > > > > > > > > > > > Your organization's CA can sign a certificate request created by the > > > > > > key on the card or by the KDC. The signed request then becomes the > > certificate. > > > > > > signed by the CA. You as the Kerberos admin don't need the CA's key. > > > > > > > > > > > > > > > > > > > > My question is : If we have to use the same CA for KDC, Client and > > > > > > > Smartcard certificates? or if we could mention 2 different CA's to KDC for > > > > > > > KDC,Client certificates and Smartcard certicate? > > > > > > > > > > > > You can use different CAs. The client will need a copy of the CA certificate > > > > > > that signed the KDC's certificate. The KDC needs a copy of the CA > > certificate > > > > > > used to sign the smart card certificate. (simplest case.) > > > > > > > > > > > > > > > > > > > > In that way, It would be helpful - If KDC could use a self-generated CA > > > > > > > certificate for the KDC and Client certificate, while it will use the > > > > > > > Smartcard CA certificate for user login authentication with smart card. > > > > > > > > > > > > > > Also, may i know how we kinit using smartcard - in order to debug if the > > > > > > > issue is with PAM login attempt or kerberos authentication. > > > > > > > > > > > > > > I would be happy to hear from you. > > > > > > > > > > > > FYI, Windows AD 2003 and above can be used as a KDC and it can do PKINIT. > > > > > > Windows 7 and above come come with all the software needed if you are > > > > > > using certain types of smart cards (HSPD-12 PIV) cards for example. > > > > > > > > > > > > Linux and Macs with Kerberos and PKINIT can use AD as the KDC. > > > > > > > > > > > > We use some smart cards with certificates signed by our windows > > > > > > enterprise CA, as well as government issued cards to login to Windows > > > > > > or Unix. > > > > > > > > > > > > What cards are you using? > > > > > > What code to manager the cards? > > > > > > What code to the cards? > > > > > > What card readers? > > > > > > > > > > > > > > > > > > > > > > > > > > Thank you > > > > > > > > > > > > > > Lohit > > > > > > > ________________________________________________ > > > > > > > Kerberos mailing list [email protected] > > > > > > > https://mailman.mit.edu/mailman/listinfo/kerberos > > > > > > > > > > > > > > > > > > > -- > > > > > > > > > > > > Douglas E. Engert > > > > > > Argonne National Laboratory > > > > > > 9700 South Cass Avenue > > > > > > Argonne, Illinois 60439 > > > > > > (630) 252-5444 > > > > > > > > On Tuesday, February 26, 2013 5:45:24 PM UTC-5, Douglas E. Engert wrote: > > > On 2/26/2013 3:39 PM, Lohit Valleru wrote: > > > > > > > Dear Community, > > > > > > > > > > > > > > I assume, i have mailed to the right community list for these kind of > > > > > > > questions. If i have mailed to the wrong location - may i please ask for > > > > > > > the respective mailing address. > > > > > > > > > > > > > > I am a system administrator for a high performance cluster, and I am > > > > > > > thinking of setting up a smartcard authentication with kerberos. > > > > > > > > > > > > > > I have already completed kerberos authentication implementation for users > > > > > > > of the cluster,through kinit and gssapi. > > > > > > > > > > > > > > These are the steps that i have followed to setup pkinit with smartcard. > > > > > > > > > > > > > > 1. I have created a CA to issue the CA certificates, CAkey and use those > > > to > > > > > > > create the KDC certificates and Client certificaties as mentioned in the > > > > > > > below link . > > > > > > > > > > > > > > http://web.mit.edu/kerberos/krb5-current/doc/admin/pkinit.html > > > > > > > > > > > > > > 2. However, in order to use smartcard along with PAM and kerberos > > > > > > > authentication - i need to use the CAs given by our organization for the > > > > > > > smart card, for which we do not have the CA key. > > > > > > > > > > > > Your organization's CA can sign a certificate request created by the > > > > > > key on the card or by the KDC. The signed request then becomes the > > certificate. > > > > > > signed by the CA. You as the Kerberos admin don't need the CA's key. > > > > > > > > > > > > > > > > > > > > My question is : If we have to use the same CA for KDC, Client and > > > > > > > Smartcard certificates? or if we could mention 2 different CA's to KDC for > > > > > > > KDC,Client certificates and Smartcard certicate? > > > > > > > > > > > > You can use different CAs. The client will need a copy of the CA certificate > > > > > > that signed the KDC's certificate. The KDC needs a copy of the CA > > certificate > > > > > > used to sign the smart card certificate. (simplest case.) > > > > > > > > > > > > > > > > > > > > In that way, It would be helpful - If KDC could use a self-generated CA > > > > > > > certificate for the KDC and Client certificate, while it will use the > > > > > > > Smartcard CA certificate for user login authentication with smart card. > > > > > > > > > > > > > > Also, may i know how we kinit using smartcard - in order to debug if the > > > > > > > issue is with PAM login attempt or kerberos authentication. > > > > > > > > > > > > > > I would be happy to hear from you. > > > > > > > > > > > > FYI, Windows AD 2003 and above can be used as a KDC and it can do PKINIT. > > > > > > Windows 7 and above come come with all the software needed if you are > > > > > > using certain types of smart cards (HSPD-12 PIV) cards for example. > > > > > > > > > > > > Linux and Macs with Kerberos and PKINIT can use AD as the KDC. > > > > > > > > > > > > We use some smart cards with certificates signed by our windows > > > > > > enterprise CA, as well as government issued cards to login to Windows > > > > > > or Unix. > > > > > > > > > > > > What cards are you using? > > > > > > What code to manager the cards? > > > > > > What code to the cards? > > > > > > What card readers? > > > > > > > > > > > > > > > > > > > > > > > > > > Thank you > > > > > > > > > > > > > > Lohit > > > > > > > ________________________________________________ > > > > > > > Kerberos mailing list [email protected] > > > > > > > https://mailman.mit.edu/mailman/listinfo/kerberos > > > > > > > > > > > > > > > > > > > -- > > > > > > > > > > > > Douglas E. Engert > > > > > > Argonne National Laboratory > > > > > > 9700 South Cass Avenue > > > > > > Argonne, Illinois 60439 > > > > > > (630) 252-5444 > > > > > > > > On Tuesday, February 26, 2013 5:45:24 PM UTC-5, Douglas E. Engert wrote: > > > On 2/26/2013 3:39 PM, Lohit Valleru wrote: > > > > > > > Dear Community, > > > > > > > > > > > > > > I assume, i have mailed to the right community list for these kind of > > > > > > > questions. If i have mailed to the wrong location - may i please ask for > > > > > > > the respective mailing address. > > > > > > > > > > > > > > I am a system administrator for a high performance cluster, and I am > > > > > > > thinking of setting up a smartcard authentication with kerberos. > > > > > > > > > > > > > > I have already completed kerberos authentication implementation for users > > > > > > > of the cluster,through kinit and gssapi. > > > > > > > > > > > > > > These are the steps that i have followed to setup pkinit with smartcard. > > > > > > > > > > > > > > 1. I have created a CA to issue the CA certificates, CAkey and use those > > > to > > > > > > > create the KDC certificates and Client certificaties as mentioned in the > > > > > > > below link . > > > > > > > > > > > > > > http://web.mit.edu/kerberos/krb5-current/doc/admin/pkinit.html > > > > > > > > > > > > > > 2. However, in order to use smartcard along with PAM and kerberos > > > > > > > authentication - i need to use the CAs given by our organization for the > > > > > > > smart card, for which we do not have the CA key. > > > > > > > > > > > > Your organization's CA can sign a certificate request created by the > > > > > > key on the card or by the KDC. The signed request then becomes the > > certificate. > > > > > > signed by the CA. You as the Kerberos admin don't need the CA's key. > > > > > > > > > > > > > > > > > > > > My question is : If we have to use the same CA for KDC, Client and > > > > > > > Smartcard certificates? or if we could mention 2 different CA's to KDC for > > > > > > > KDC,Client certificates and Smartcard certicate? > > > > > > > > > > > > You can use different CAs. The client will need a copy of the CA certificate > > > > > > that signed the KDC's certificate. The KDC needs a copy of the CA > > certificate > > > > > > used to sign the smart card certificate. (simplest case.) > > > > > > > > > > > > > > > > > > > > In that way, It would be helpful - If KDC could use a self-generated CA > > > > > > > certificate for the KDC and Client certificate, while it will use the > > > > > > > Smartcard CA certificate for user login authentication with smart card. > > > > > > > > > > > > > > Also, may i know how we kinit using smartcard - in order to debug if the > > > > > > > issue is with PAM login attempt or kerberos authentication. > > > > > > > > > > > > > > I would be happy to hear from you. > > > > > > > > > > > > FYI, Windows AD 2003 and above can be used as a KDC and it can do PKINIT. > > > > > > Windows 7 and above come come with all the software needed if you are > > > > > > using certain types of smart cards (HSPD-12 PIV) cards for example. > > > > > > > > > > > > Linux and Macs with Kerberos and PKINIT can use AD as the KDC. > > > > > > > > > > > > We use some smart cards with certificates signed by our windows > > > > > > enterprise CA, as well as government issued cards to login to Windows > > > > > > or Unix. > > > > > > > > > > > > What cards are you using? > > > > > > What code to manager the cards? > > > > > > What code to the cards? > > > > > > What card readers? > > > > > > > > > > > > > > > > > > > > > > > > > > Thank you > > > > > > > > > > > > > > Lohit > > > > > > > ________________________________________________ > > > > > > > Kerberos mailing list [email protected] > > > > > > > https://mailman.mit.edu/mailman/listinfo/kerberos > > > > > > > > > > > > > > > > > > > -- > > > > > > > > > > > > Douglas E. Engert > > > > > > Argonne National Laboratory > > > > > > 9700 South Cass Avenue > > > > > > Argonne, Illinois 60439 > > > > > > (630) 252-5444 > > > > > > > > On Tuesday, February 26, 2013 5:45:24 PM UTC-5, Douglas E. Engert wrote: > > > On 2/26/2013 3:39 PM, Lohit Valleru wrote: > > > > > > > Dear Community, > > > > > > > > > > > > > > I assume, i have mailed to the right community list for these kind of > > > > > > > questions. If i have mailed to the wrong location - may i please ask for > > > > > > > the respective mailing address. > > > > > > > > > > > > > > I am a system administrator for a high performance cluster, and I am > > > > > > > thinking of setting up a smartcard authentication with kerberos. > > > > > > > > > > > > > > I have already completed kerberos authentication implementation for users > > > > > > > of the cluster,through kinit and gssapi. > > > > > > > > > > > > > > These are the steps that i have followed to setup pkinit with smartcard. > > > > > > > > > > > > > > 1. I have created a CA to issue the CA certificates, CAkey and use those > > > to > > > > > > > create the KDC certificates and Client certificaties as mentioned in the > > > > > > > below link . > > > > > > > > > > > > > > http://web.mit.edu/kerberos/krb5-current/doc/admin/pkinit.html > > > > > > > > > > > > > > 2. However, in order to use smartcard along with PAM and kerberos > > > > > > > authentication - i need to use the CAs given by our organization for the > > > > > > > smart card, for which we do not have the CA key. > > > > > > > > > > > > Your organization's CA can sign a certificate request created by the > > > > > > key on the card or by the KDC. The signed request then becomes the > > certificate. > > > > > > signed by the CA. You as the Kerberos admin don't need the CA's key. > > > > > > > > > > > > > > > > > > > > My question is : If we have to use the same CA for KDC, Client and > > > > > > > Smartcard certificates? or if we could mention 2 different CA's to KDC for > > > > > > > KDC,Client certificates and Smartcard certicate? > > > > > > > > > > > > You can use different CAs. The client will need a copy of the CA certificate > > > > > > that signed the KDC's certificate. The KDC needs a copy of the CA > > certificate > > > > > > used to sign the smart card certificate. (simplest case.) > > > > > > > > > > > > > > > > > > > > In that way, It would be helpful - If KDC could use a self-generated CA > > > > > > > certificate for the KDC and Client certificate, while it will use the > > > > > > > Smartcard CA certificate for user login authentication with smart card. > > > > > > > > > > > > > > Also, may i know how we kinit using smartcard - in order to debug if the > > > > > > > issue is with PAM login attempt or kerberos authentication. > > > > > > > > > > > > > > I would be happy to hear from you. > > > > > > > > > > > > FYI, Windows AD 2003 and above can be used as a KDC and it can do PKINIT. > > > > > > Windows 7 and above come come with all the software needed if you are > > > > > > using certain types of smart cards (HSPD-12 PIV) cards for example. > > > > > > > > > > > > Linux and Macs with Kerberos and PKINIT can use AD as the KDC. > > > > > > > > > > > > We use some smart cards with certificates signed by our windows > > > > > > enterprise CA, as well as government issued cards to login to Windows > > > > > > or Unix. > > > > > > > > > > > > What cards are you using? > > > > > > What code to manager the cards? > > > > > > What code to the cards? > > > > > > What card readers? > > > > > > > > > > > > > > > > > > > > > > > > > > Thank you > > > > > > > > > > > > > > Lohit > > > > > > > ________________________________________________ > > > > > > > Kerberos mailing list [email protected] > > > > > > > https://mailman.mit.edu/mailman/listinfo/kerberos > > > > > > > > > > > > > > > > > > > -- > > > > > > > > > > > > Douglas E. Engert > > > > > > Argonne National Laboratory > > > > > > 9700 South Cass Avenue > > > > > > Argonne, Illinois 60439 > > > > > > (630) 252-5444 On Saturday, March 9, 2013 12:48:23 PM UTC-5, [email protected] wrote: > Hello Douglas, > > > > Thank you for your reply. It gives me a hope to solve the ongoing issue. > > > > Please let me give an explanation of the environment that i am trying to use > smart cards. > > > > I would like to use both Linux(centos) and Windows as client machines > > > > However, only Linux( centos) is used as our server operating systems. Centos > is a Red hat linux variant. > > > > I already have a full configured working setup of : OpenLDAP, GSSAPI, and > Kerberos setup as the User authorization and authentication mechanism with > windows and linux clients. > > OpenLDAP repository is used as a principal database for Kerberos, so > OpenLDAP(389-directory server) is used for authorization and Kerberos is used > for authentication. > > > > Users can login using password kerberos authentication with ssh and they will > receive kerberos tickets with the current configuration. > > > > However, i would like to get rid of passwords and use PIV card pkinit > authentication with kerberos instead of using passwords. > > > > I understand that AD and windows have a good implementation of pkinit but i > do want to use AD for KDC or for directory service. > > > > > > I have tried configuring KDC and clients with pkinit for client console login. > > > > I would just want the users to get kerberos tickets when they login to Linux > client console. > > > > Initially - I have tried PAM authentication for smartcard and I was > successful in using Smartcard CA for login using my smart card pin. So i can > login using smartcard to all linux machines. However i also would want to get > kerberos tickets once i login. > > > > This is where PAM_krb5 and krb5.conf comes into the picture, and i have > configured those too with respect to the pkinit configuration. > > > > Now when i try to login ( after PAM is configured to use kerberos), i do get > a prompt for entering my pin , but after i enter my pin - Kerberos still > cannot authenticate me, with logs mentioning that : > > > > " Decrypt integrity check failed " > > > > I have searched the forums, and i understand that the above log message means > that, KDC is not able to decrypt either because the password is wrong or it > doesnt support the encryption used. > > > > I am confused that, if PAM authentication can decrypt and allow me to login > using the SMART card CA . Why is that KDC is not able to decrypt. > > > > I could be that i did not configure the krb5.conf accurately. > > > > If i can use kinit to initiate pkinit with smart card, i would then able to > debug if this issue is related to kerberos only or pam and kerberos. > > > > Please do help me with the respective kerberos configuration for smartcard. > > > > MY smartcard info is as below : > > > > Model : ID-One Cosmo 64 v5.2D Fast ATR with PIV application SDK > > > > I do not know the code used inside the smartcard. > > > > its uses signature algorithm: sha256rsa > > > > > > Also please do find my comments as below . > > > > Thank you for your help, and I would be happy to hear from you. > > > > Regards, > > > > Lohit > > > > > > > > On Tuesday, February 26, 2013 5:45:24 PM UTC-5, Douglas E. Engert wrote: > > > On 2/26/2013 3:39 PM, Lohit Valleru wrote: > > > > > > > Dear Community, > > > > > > > > > > > > > > I assume, i have mailed to the right community list for these kind of > > > > > > > questions. If i have mailed to the wrong location - may i please ask for > > > > > > > the respective mailing address. > > > > > > > > > > > > > > I am a system administrator for a high performance cluster, and I am > > > > > > > thinking of setting up a smartcard authentication with kerberos. > > > > > > > > > > > > > > I have already completed kerberos authentication implementation for users > > > > > > > of the cluster,through kinit and gssapi. > > > > > > > > > > > > > > These are the steps that i have followed to setup pkinit with smartcard. > > > > > > > > > > > > > > 1. I have created a CA to issue the CA certificates, CAkey and use those > > > to > > > > > > > create the KDC certificates and Client certificaties as mentioned in the > > > > > > > below link . > > > > > > > > > > > > > > http://web.mit.edu/kerberos/krb5-current/doc/admin/pkinit.html > > > > > > > > > > > > > > 2. However, in order to use smartcard along with PAM and kerberos > > > > > > > authentication - i need to use the CAs given by our organization for the > > > > > > > smart card, for which we do not have the CA key. > > > > > > > > > > > > Your organization's CA can sign a certificate request created by the > > > > > > key on the card or by the KDC. The signed request then becomes the > > certificate. > > > > > > signed by the CA. You as the Kerberos admin don't need the CA's key. > > > > > > I had asked the above question, assuming if we have to use the SMART card CA > to create the KDC certificate, for which i would have to send the KDC > certificate request to the organization's CA. However I would like to keep a > separate CA for the KDC, and since we can use different CA's - that solves > the above issue. > > > > > > > > > > > > > > > > > > > > > > > > My question is : If we have to use the same CA for KDC, Client and > > > > > > > Smartcard certificates? or if we could mention 2 different CA's to KDC for > > > > > > > KDC,Client certificates and Smartcard certicate? > > > > > > > > > > > > You can use different CAs. The client will need a copy of the CA certificate > > > > > > that signed the KDC's certificate. The KDC needs a copy of the CA > > certificate > > > > > > used to sign the smart card certificate. (simplest case.) > > > > > > > I do have the CA used to create the KDC, and also the CA used for the > certificate on the SMART/PIV card. I have also configured KDC to use both > CA's under a directory. However, KDC still gives me the error : " Decrypt > Integrity check failed". > > > > > > > > > > > > > > > > > > > > In that way, It would be helpful - If KDC could use a self-generated CA > > > > > > > certificate for the KDC and Client certificate, while it will use the > > > > > > > Smartcard CA certificate for user login authentication with smart card. > > > > > > > > > > > > > > Also, may i know how we kinit using smartcard - in order to debug if the > > > > > > > issue is with PAM login attempt or kerberos authentication. > > > > > > > > > > > > > > I would be happy to hear from you. > > > > > > > > > > > > FYI, Windows AD 2003 and above can be used as a KDC and it can do PKINIT. > > > > > > Windows 7 and above come come with all the software needed if you are > > > > > > using certain types of smart cards (HSPD-12 PIV) cards for example. > > > > > > > > > > > > Linux and Macs with Kerberos and PKINIT can use AD as the KDC. > > > > > > > > > > > > We use some smart cards with certificates signed by our windows > > > > > > enterprise CA, as well as government issued cards to login to Windows > > > > > > or Unix. > > > > > > > > > > > > What cards are you using? > > > > > > What code to manager the cards? > > > > > > What code to the cards? > > > > > > What card readers? > > > > > > > > > > > > > > > > > > > > > > > > > > Thank you > > > > > > > > > > > > > > Lohit > > > > > > > ________________________________________________ > > > > > > > Kerberos mailing list [email protected] > > > > > > > https://mailman.mit.edu/mailman/listinfo/kerberos > > > > > > > > > > > > > > > > > > > -- > > > > > > > > > > > > Douglas E. Engert > > > > > > Argonne National Laboratory > > > > > > 9700 South Cass Avenue > > > > > > Argonne, Illinois 60439 > > > > > > (630) 252-5444 > > > > > > > > On Tuesday, February 26, 2013 5:45:24 PM UTC-5, Douglas E. Engert wrote: > > > On 2/26/2013 3:39 PM, Lohit Valleru wrote: > > > > > > > Dear Community, > > > > > > > > > > > > > > I assume, i have mailed to the right community list for these kind of > > > > > > > questions. If i have mailed to the wrong location - may i please ask for > > > > > > > the respective mailing address. > > > > > > > > > > > > > > I am a system administrator for a high performance cluster, and I am > > > > > > > thinking of setting up a smartcard authentication with kerberos. > > > > > > > > > > > > > > I have already completed kerberos authentication implementation for users > > > > > > > of the cluster,through kinit and gssapi. > > > > > > > > > > > > > > These are the steps that i have followed to setup pkinit with smartcard. > > > > > > > > > > > > > > 1. I have created a CA to issue the CA certificates, CAkey and use those > > > to > > > > > > > create the KDC certificates and Client certificaties as mentioned in the > > > > > > > below link . > > > > > > > > > > > > > > http://web.mit.edu/kerberos/krb5-current/doc/admin/pkinit.html > > > > > > > > > > > > > > 2. However, in order to use smartcard along with PAM and kerberos > > > > > > > authentication - i need to use the CAs given by our organization for the > > > > > > > smart card, for which we do not have the CA key. > > > > > > > > > > > > Your organization's CA can sign a certificate request created by the > > > > > > key on the card or by the KDC. The signed request then becomes the > > certificate. > > > > > > signed by the CA. You as the Kerberos admin don't need the CA's key. > > > > > > > > > > > > > > > > > > > > My question is : If we have to use the same CA for KDC, Client and > > > > > > > Smartcard certificates? or if we could mention 2 different CA's to KDC for > > > > > > > KDC,Client certificates and Smartcard certicate? > > > > > > > > > > > > You can use different CAs. The client will need a copy of the CA certificate > > > > > > that signed the KDC's certificate. The KDC needs a copy of the CA > > certificate > > > > > > used to sign the smart card certificate. (simplest case.) > > > > > > > > > > > > > > > > > > > > In that way, It would be helpful - If KDC could use a self-generated CA > > > > > > > certificate for the KDC and Client certificate, while it will use the > > > > > > > Smartcard CA certificate for user login authentication with smart card. > > > > > > > > > > > > > > Also, may i know how we kinit using smartcard - in order to debug if the > > > > > > > issue is with PAM login attempt or kerberos authentication. > > > > > > > > > > > > > > I would be happy to hear from you. > > > > > > > > > > > > FYI, Windows AD 2003 and above can be used as a KDC and it can do PKINIT. > > > > > > Windows 7 and above come come with all the software needed if you are > > > > > > using certain types of smart cards (HSPD-12 PIV) cards for example. > > > > > > > > > > > > Linux and Macs with Kerberos and PKINIT can use AD as the KDC. > > > > > > > > > > > > We use some smart cards with certificates signed by our windows > > > > > > enterprise CA, as well as government issued cards to login to Windows > > > > > > or Unix. > > > > > > > > > > > > What cards are you using? > > > > > > What code to manager the cards? > > > > > > What code to the cards? > > > > > > What card readers? > > > > > > > > > > > > > > > > > > > > > > > > > > Thank you > > > > > > > > > > > > > > Lohit > > > > > > > ________________________________________________ > > > > > > > Kerberos mailing list [email protected] > > > > > > > https://mailman.mit.edu/mailman/listinfo/kerberos > > > > > > > > > > > > > > > > > > > -- > > > > > > > > > > > > Douglas E. Engert > > > > > > Argonne National Laboratory > > > > > > 9700 South Cass Avenue > > > > > > Argonne, Illinois 60439 > > > > > > (630) 252-5444 > > > > > > > > On Tuesday, February 26, 2013 5:45:24 PM UTC-5, Douglas E. Engert wrote: > > > On 2/26/2013 3:39 PM, Lohit Valleru wrote: > > > > > > > Dear Community, > > > > > > > > > > > > > > I assume, i have mailed to the right community list for these kind of > > > > > > > questions. If i have mailed to the wrong location - may i please ask for > > > > > > > the respective mailing address. > > > > > > > > > > > > > > I am a system administrator for a high performance cluster, and I am > > > > > > > thinking of setting up a smartcard authentication with kerberos. > > > > > > > > > > > > > > I have already completed kerberos authentication implementation for users > > > > > > > of the cluster,through kinit and gssapi. > > > > > > > > > > > > > > These are the steps that i have followed to setup pkinit with smartcard. > > > > > > > > > > > > > > 1. I have created a CA to issue the CA certificates, CAkey and use those > > > to > > > > > > > create the KDC certificates and Client certificaties as mentioned in the > > > > > > > below link . > > > > > > > > > > > > > > http://web.mit.edu/kerberos/krb5-current/doc/admin/pkinit.html > > > > > > > > > > > > > > 2. However, in order to use smartcard along with PAM and kerberos > > > > > > > authentication - i need to use the CAs given by our organization for the > > > > > > > smart card, for which we do not have the CA key. > > > > > > > > > > > > Your organization's CA can sign a certificate request created by the > > > > > > key on the card or by the KDC. The signed request then becomes the > > certificate. > > > > > > signed by the CA. You as the Kerberos admin don't need the CA's key. > > > > > > > > > > > > > > > > > > > > My question is : If we have to use the same CA for KDC, Client and > > > > > > > Smartcard certificates? or if we could mention 2 different CA's to KDC for > > > > > > > KDC,Client certificates and Smartcard certicate? > > > > > > > > > > > > You can use different CAs. The client will need a copy of the CA certificate > > > > > > that signed the KDC's certificate. The KDC needs a copy of the CA > > certificate > > > > > > used to sign the smart card certificate. (simplest case.) > > > > > > > > > > > > > > > > > > > > In that way, It would be helpful - If KDC could use a self-generated CA > > > > > > > certificate for the KDC and Client certificate, while it will use the > > > > > > > Smartcard CA certificate for user login authentication with smart card. > > > > > > > > > > > > > > Also, may i know how we kinit using smartcard - in order to debug if the > > > > > > > issue is with PAM login attempt or kerberos authentication. > > > > > > > > > > > > > > I would be happy to hear from you. > > > > > > > > > > > > FYI, Windows AD 2003 and above can be used as a KDC and it can do PKINIT. > > > > > > Windows 7 and above come come with all the software needed if you are > > > > > > using certain types of smart cards (HSPD-12 PIV) cards for example. > > > > > > > > > > > > Linux and Macs with Kerberos and PKINIT can use AD as the KDC. > > > > > > > > > > > > We use some smart cards with certificates signed by our windows > > > > > > enterprise CA, as well as government issued cards to login to Windows > > > > > > or Unix. > > > > > > > > > > > > What cards are you using? > > > > > > What code to manager the cards? > > > > > > What code to the cards? > > > > > > What card readers? > > > > > > > > > > > > > > > > > > > > > > > > > > Thank you > > > > > > > > > > > > > > Lohit > > > > > > > ________________________________________________ > > > > > > > Kerberos mailing list [email protected] > > > > > > > https://mailman.mit.edu/mailman/listinfo/kerberos > > > > > > > > > > > > > > > > > > > -- > > > > > > > > > > > > Douglas E. Engert > > > > > > Argonne National Laboratory > > > > > > 9700 South Cass Avenue > > > > > > Argonne, Illinois 60439 > > > > > > (630) 252-5444 > > > > > > > > On Tuesday, February 26, 2013 5:45:24 PM UTC-5, Douglas E. Engert wrote: > > > On 2/26/2013 3:39 PM, Lohit Valleru wrote: > > > > > > > Dear Community, > > > > > > > > > > > > > > I assume, i have mailed to the right community list for these kind of > > > > > > > questions. If i have mailed to the wrong location - may i please ask for > > > > > > > the respective mailing address. > > > > > > > > > > > > > > I am a system administrator for a high performance cluster, and I am > > > > > > > thinking of setting up a smartcard authentication with kerberos. > > > > > > > > > > > > > > I have already completed kerberos authentication implementation for users > > > > > > > of the cluster,through kinit and gssapi. > > > > > > > > > > > > > > These are the steps that i have followed to setup pkinit with smartcard. > > > > > > > > > > > > > > 1. I have created a CA to issue the CA certificates, CAkey and use those > > > to > > > > > > > create the KDC certificates and Client certificaties as mentioned in the > > > > > > > below link . > > > > > > > > > > > > > > http://web.mit.edu/kerberos/krb5-current/doc/admin/pkinit.html > > > > > > > > > > > > > > 2. However, in order to use smartcard along with PAM and kerberos > > > > > > > authentication - i need to use the CAs given by our organization for the > > > > > > > smart card, for which we do not have the CA key. > > > > > > > > > > > > Your organization's CA can sign a certificate request created by the > > > > > > key on the card or by the KDC. The signed request then becomes the > > certificate. > > > > > > signed by the CA. You as the Kerberos admin don't need the CA's key. > > > > > > > > > > > > > > > > > > > > My question is : If we have to use the same CA for KDC, Client and > > > > > > > Smartcard certificates? or if we could mention 2 different CA's to KDC for > > > > > > > KDC,Client certificates and Smartcard certicate? > > > > > > > > > > > > You can use different CAs. The client will need a copy of the CA certificate > > > > > > that signed the KDC's certificate. The KDC needs a copy of the CA > > certificate > > > > > > used to sign the smart card certificate. (simplest case.) > > > > > > > > > > > > > > > > > > > > In that way, It would be helpful - If KDC could use a self-generated CA > > > > > > > certificate for the KDC and Client certificate, while it will use the > > > > > > > Smartcard CA certificate for user login authentication with smart card. > > > > > > > > > > > > > > Also, may i know how we kinit using smartcard - in order to debug if the > > > > > > > issue is with PAM login attempt or kerberos authentication. > > > > > > > > > > > > > > I would be happy to hear from you. > > > > > > > > > > > > FYI, Windows AD 2003 and above can be used as a KDC and it can do PKINIT. > > > > > > Windows 7 and above come come with all the software needed if you are > > > > > > using certain types of smart cards (HSPD-12 PIV) cards for example. > > > > > > > > > > > > Linux and Macs with Kerberos and PKINIT can use AD as the KDC. > > > > > > > > > > > > We use some smart cards with certificates signed by our windows > > > > > > enterprise CA, as well as government issued cards to login to Windows > > > > > > or Unix. > > > > > > > > > > > > What cards are you using? > > > > > > What code to manager the cards? > > > > > > What code to the cards? > > > > > > What card readers? > > > > > > > > > > > > > > > > > > > > > > > > > > Thank you > > > > > > > > > > > > > > Lohit > > > > > > > ________________________________________________ > > > > > > > Kerberos mailing list [email protected] > > > > > > > https://mailman.mit.edu/mailman/listinfo/kerberos > > > > > > > > > > > > > > > > > > > -- > > > > > > > > > > > > Douglas E. Engert > > > > > > Argonne National Laboratory > > > > > > 9700 South Cass Avenue > > > > > > Argonne, Illinois 60439 > > > > > > (630) 252-5444 > > > > > > > > On Tuesday, February 26, 2013 5:45:24 PM UTC-5, Douglas E. Engert wrote: > > > On 2/26/2013 3:39 PM, Lohit Valleru wrote: > > > > > > > Dear Community, > > > > > > > > > > > > > > I assume, i have mailed to the right community list for these kind of > > > > > > > questions. If i have mailed to the wrong location - may i please ask for > > > > > > > the respective mailing address. > > > > > > > > > > > > > > I am a system administrator for a high performance cluster, and I am > > > > > > > thinking of setting up a smartcard authentication with kerberos. > > > > > > > > > > > > > > I have already completed kerberos authentication implementation for users > > > > > > > of the cluster,through kinit and gssapi. > > > > > > > > > > > > > > These are the steps that i have followed to setup pkinit with smartcard. > > > > > > > > > > > > > > 1. I have created a CA to issue the CA certificates, CAkey and use those > > > to > > > > > > > create the KDC certificates and Client certificaties as mentioned in the > > > > > > > below link . > > > > > > > > > > > > > > http://web.mit.edu/kerberos/krb5-current/doc/admin/pkinit.html > > > > > > > > > > > > > > 2. However, in order to use smartcard along with PAM and kerberos > > > > > > > authentication - i need to use the CAs given by our organization for the > > > > > > > smart card, for which we do not have the CA key. > > > > > > > > > > > > Your organization's CA can sign a certificate request created by the > > > > > > key on the card or by the KDC. The signed request then becomes the > > certificate. > > > > > > signed by the CA. You as the Kerberos admin don't need the CA's key. > > > > > > > > > > > > > > > > > > > > My question is : If we have to use the same CA for KDC, Client and > > > > > > > Smartcard certificates? or if we could mention 2 different CA's to KDC for > > > > > > > KDC,Client certificates and Smartcard certicate? > > > > > > > > > > > > You can use different CAs. The client will need a copy of the CA certificate > > > > > > that signed the KDC's certificate. The KDC needs a copy of the CA > > certificate > > > > > > used to sign the smart card certificate. (simplest case.) > > > > > > > > > > > > > > > > > > > > In that way, It would be helpful - If KDC could use a self-generated CA > > > > > > > certificate for the KDC and Client certificate, while it will use the > > > > > > > Smartcard CA certificate for user login authentication with smart card. > > > > > > > > > > > > > > Also, may i know how we kinit using smartcard - in order to debug if the > > > > > > > issue is with PAM login attempt or kerberos authentication. > > > > > > > > > > > > > > I would be happy to hear from you. > > > > > > > > > > > > FYI, Windows AD 2003 and above can be used as a KDC and it can do PKINIT. > > > > > > Windows 7 and above come come with all the software needed if you are > > > > > > using certain types of smart cards (HSPD-12 PIV) cards for example. > > > > > > > > > > > > Linux and Macs with Kerberos and PKINIT can use AD as the KDC. > > > > > > > > > > > > We use some smart cards with certificates signed by our windows > > > > > > enterprise CA, as well as government issued cards to login to Windows > > > > > > or Unix. > > > > > > > > > > > > What cards are you using? > > > > > > What code to manager the cards? > > > > > > What code to the cards? > > > > > > What card readers? > > > > > > > > > > > > > > > > > > > > > > > > > > Thank you > > > > > > > > > > > > > > Lohit > > > > > > > ________________________________________________ > > > > > > > Kerberos mailing list [email protected] > > > > > > > https://mailman.mit.edu/mailman/listinfo/kerberos > > > > > > > > > > > > > > > > > > > -- > > > > > > > > > > > > Douglas E. Engert > > > > > > Argonne National Laboratory > > > > > > 9700 South Cass Avenue > > > > > > Argonne, Illinois 60439 > > > > > > (630) 252-5444 ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
