On 3/9/2013 11:48 AM, [email protected] wrote: > Hello Douglas, > > Thank you for your reply. It gives me a hope to solve the ongoing issue. > > Please let me give an explanation of the environment that i am trying to use > smart cards. > > I would like to use both Linux(centos) and Windows as client machines
I have been talking to another individual about PKINIT with GDM on CentOS. It is not clear if the CentOS pam_krb5 supports PKINIT or not. I do not have a CentOS system to test. (Maybe someone else on the list knows if the CentOS pam_krb5 can do PKINIT.) You say below that you can logon to the system with the smart card, but that may be a local logon to the machine done with the pam_pkcs11.so module, not with the pam_krb5. Check the pam configuration files. > > However, only Linux( centos) is used as our server operating systems. Centos > is a Red hat linux variant. > > I already have a full configured working setup of : OpenLDAP, GSSAPI, and > Kerberos setup as the User authorization and authentication mechanism with > windows and linux clients. > OpenLDAP repository is used as a principal database for Kerberos, so > OpenLDAP(389-directory server) is used for authorization and Kerberos is used > for authentication. > > Users can login using password kerberos authentication with ssh and they will > receive kerberos tickets with the current configuration. > > However, i would like to get rid of passwords and use PIV card pkinit > authentication with kerberos instead of using passwords. > > I understand that AD and windows have a good implementation of pkinit but i > do want to use AD for KDC or for directory service. > Yes, so if you wish t use AD as the KDC, with smartcard, you should make sure Windows smartcard login works first. Windows 7 has all the PCSC and PIV drivers built in, so there is no extra code. > > I have tried configuring KDC and clients with pkinit for client console login. > > I would just want the users to get kerberos tickets when they login to Linux > client console. > > Initially - I have tried PAM authentication for smartcard and I was > successful in using Smartcard CA for login using my smart card pin. So i can > login using smartcard to all linux machines. However i also would want to get > kerberos tickets once i login. > > This is where PAM_krb5 and krb5.conf comes into the picture, and i have > configured those too with respect to the pkinit configuration. > There are many implementations of pam_krb5 based on different code bases. I have had good success using the Debian version on Solaris and Ubuntu that comes with this verision.) http://www.eyrie.org/~eagle/software/pam-krb5/ If the CentOS pam-krb5 does not support PKINIT, you may want to try the above version. (Or try running Ubuntu or Debian OS as a test.) > Now when i try to login ( after PAM is configured to use kerberos), i do get > a prompt for entering my pin , but after i enter my pin - Kerberos still > cannot authenticate me, with logs mentioning that : > The PIN prompt may be from pam_pkcs11.so, not the pam_krb5. > " Decrypt integrity check failed" > This usually means the password is not valid, or a keytab does not match the the KDC's version. > I have searched the forums, and i understand that the above log message means > that, KDC is not able to decrypt either because the password is wrong or it > doesnt support the encryption used. > > I am confused that, if PAM authentication can decrypt and allow me to login > using the SMART card CA . Why is that KDC is not able to decrypt. > The login may be from the pam_pkcs11.so All pam modules accept a debug option to write debug info to syslog. You may want to add the debug option to the pam_pkcs11.so and pam_krb5.so lines in the pam config files. Wireshark network traces can also help, as it can show a lot of the Kerberos packets. > I could be that i did not configure the krb5.conf accurately. > > If i can use kinit to initiate pkinit with smart card, i would then able to > debug if this issue is related to kerberos only or pam and kerberos. > Yes kinit can use PKINIT, even if the pam_krb5 can not. > Please do help me with the respective kerberos configuration for smartcard. > > MY smartcard info is as below : > > Model : ID-One Cosmo 64 v5.2D Fast ATR with PIV application SDK > I am assuming that the card was issued to you by some government CA. > I do not know the code used inside the smartcard. > > its uses signature algorithm: sha256rsa > > > Also please do find my comments as below . > > Thank you for your help, and I would be happy to hear from you. > > Regards, > > Lohit > > I am out of the office all next week and may not respond quickly. On Tuesday, February 26, 2013 5:45:24 PM UTC-5, Douglas E. Engert wrote: >> On 2/26/2013 3:39 PM, Lohit Valleru wrote: >> >>> Dear Community, >> >>> >> >>> I assume, i have mailed to the right community list for these kind of >> >>> questions. If i have mailed to the wrong location - may i please ask for >> >>> the respective mailing address. >> >>> >> >>> I am a system administrator for a high performance cluster, and I am >> >>> thinking of setting up a smartcard authentication with kerberos. >> >>> >> >>> I have already completed kerberos authentication implementation for users >> >>> of the cluster,through kinit and gssapi. >> >>> >> >>> These are the steps that i have followed to setup pkinit with smartcard. >> >>> >> >>> 1. I have created a CA to issue the CA certificates, CAkey and use those to >> >>> create the KDC certificates and Client certificaties as mentioned in the >> >>> below link . >> >>> >> >>> http://web.mit.edu/kerberos/krb5-current/doc/admin/pkinit.html >> >>> >> >>> 2. However, in order to use smartcard along with PAM and kerberos >> >>> authentication - i need to use the CAs given by our organization for the >> >>> smart card, for which we do not have the CA key. >> >> >> >> Your organization's CA can sign a certificate request created by the >> >> key on the card or by the KDC. The signed request then becomes the >> certificate. >> >> signed by the CA. You as the Kerberos admin don't need the CA's key. > > > I had asked the above question, assuming if we have to use the SMART card CA > to create the KDC certificate, for which i would have to send the KDC > certificate request to the organization's CA. However I would like to keep a > separate CA for the KDC, and since we can use different CA's - that solves > the above issue. > > >> >> >> >>> >> >>> My question is : If we have to use the same CA for KDC, Client and >> >>> Smartcard certificates? or if we could mention 2 different CA's to KDC for >> >>> KDC,Client certificates and Smartcard certicate? >> >> >> >> You can use different CAs. The client will need a copy of the CA certificate >> >> that signed the KDC's certificate. The KDC needs a copy of the CA certificate >> >> used to sign the smart card certificate. (simplest case.) >> > > I do have the CA used to create the KDC, and also the CA used for the > certificate on the SMART/PIV card. I have also configured KDC to use both > CA's under a directory. However, KDC still gives me the error : " Decrypt > Integrity check failed". > > > >> >>> >> >>> In that way, It would be helpful - If KDC could use a self-generated CA >> >>> certificate for the KDC and Client certificate, while it will use the >> >>> Smartcard CA certificate for user login authentication with smart card. >> >>> >> >>> Also, may i know how we kinit using smartcard - in order to debug if the >> >>> issue is with PAM login attempt or kerberos authentication. >> >>> >> >>> I would be happy to hear from you. >> >> >> >> FYI, Windows AD 2003 and above can be used as a KDC and it can do PKINIT. >> >> Windows 7 and above come come with all the software needed if you are >> >> using certain types of smart cards (HSPD-12 PIV) cards for example. >> >> >> >> Linux and Macs with Kerberos and PKINIT can use AD as the KDC. >> >> >> >> We use some smart cards with certificates signed by our windows >> >> enterprise CA, as well as government issued cards to login to Windows >> >> or Unix. >> >> >> >> What cards are you using? >> >> What code to manager the cards? >> >> What code to the cards? >> >> What card readers? >> >> >> >> >> >>> >> >>> Thank you >> >>> >> >>> Lohit >> >>> ________________________________________________ >> >>> Kerberos mailing list [email protected] >> >>> https://mailman.mit.edu/mailman/listinfo/kerberos >> >>> >> >> >> >> -- >> >> >> >> Douglas E. Engert <[email protected]> >> >> Argonne National Laboratory >> >> 9700 South Cass Avenue >> >> Argonne, Illinois 60439 >> >> (630) 252-5444 > > > > On Tuesday, February 26, 2013 5:45:24 PM UTC-5, Douglas E. Engert wrote: >> On 2/26/2013 3:39 PM, Lohit Valleru wrote: >> >>> Dear Community, >> >>> >> >>> I assume, i have mailed to the right community list for these kind of >> >>> questions. If i have mailed to the wrong location - may i please ask for >> >>> the respective mailing address. >> >>> >> >>> I am a system administrator for a high performance cluster, and I am >> >>> thinking of setting up a smartcard authentication with kerberos. >> >>> >> >>> I have already completed kerberos authentication implementation for users >> >>> of the cluster,through kinit and gssapi. >> >>> >> >>> These are the steps that i have followed to setup pkinit with smartcard. >> >>> >> >>> 1. I have created a CA to issue the CA certificates, CAkey and use those to >> >>> create the KDC certificates and Client certificaties as mentioned in the >> >>> below link . >> >>> >> >>> http://web.mit.edu/kerberos/krb5-current/doc/admin/pkinit.html >> >>> >> >>> 2. However, in order to use smartcard along with PAM and kerberos >> >>> authentication - i need to use the CAs given by our organization for the >> >>> smart card, for which we do not have the CA key. >> >> >> >> Your organization's CA can sign a certificate request created by the >> >> key on the card or by the KDC. The signed request then becomes the >> certificate. >> >> signed by the CA. You as the Kerberos admin don't need the CA's key. >> >> >> >>> >> >>> My question is : If we have to use the same CA for KDC, Client and >> >>> Smartcard certificates? or if we could mention 2 different CA's to KDC for >> >>> KDC,Client certificates and Smartcard certicate? >> >> >> >> You can use different CAs. The client will need a copy of the CA certificate >> >> that signed the KDC's certificate. The KDC needs a copy of the CA certificate >> >> used to sign the smart card certificate. (simplest case.) >> >> >> >>> >> >>> In that way, It would be helpful - If KDC could use a self-generated CA >> >>> certificate for the KDC and Client certificate, while it will use the >> >>> Smartcard CA certificate for user login authentication with smart card. >> >>> >> >>> Also, may i know how we kinit using smartcard - in order to debug if the >> >>> issue is with PAM login attempt or kerberos authentication. >> >>> >> >>> I would be happy to hear from you. >> >> >> >> FYI, Windows AD 2003 and above can be used as a KDC and it can do PKINIT. >> >> Windows 7 and above come come with all the software needed if you are >> >> using certain types of smart cards (HSPD-12 PIV) cards for example. >> >> >> >> Linux and Macs with Kerberos and PKINIT can use AD as the KDC. >> >> >> >> We use some smart cards with certificates signed by our windows >> >> enterprise CA, as well as government issued cards to login to Windows >> >> or Unix. >> >> >> >> What cards are you using? >> >> What code to manager the cards? >> >> What code to the cards? >> >> What card readers? >> >> >> >> >> >>> >> >>> Thank you >> >>> >> >>> Lohit >> >>> ________________________________________________ >> >>> Kerberos mailing list [email protected] >> >>> https://mailman.mit.edu/mailman/listinfo/kerberos >> >>> >> >> >> >> -- >> >> >> >> Douglas E. Engert <[email protected]> >> >> Argonne National Laboratory >> >> 9700 South Cass Avenue >> >> Argonne, Illinois 60439 >> >> (630) 252-5444 > > > > On Tuesday, February 26, 2013 5:45:24 PM UTC-5, Douglas E. Engert wrote: >> On 2/26/2013 3:39 PM, Lohit Valleru wrote: >> >>> Dear Community, >> >>> >> >>> I assume, i have mailed to the right community list for these kind of >> >>> questions. If i have mailed to the wrong location - may i please ask for >> >>> the respective mailing address. >> >>> >> >>> I am a system administrator for a high performance cluster, and I am >> >>> thinking of setting up a smartcard authentication with kerberos. >> >>> >> >>> I have already completed kerberos authentication implementation for users >> >>> of the cluster,through kinit and gssapi. >> >>> >> >>> These are the steps that i have followed to setup pkinit with smartcard. >> >>> >> >>> 1. I have created a CA to issue the CA certificates, CAkey and use those to >> >>> create the KDC certificates and Client certificaties as mentioned in the >> >>> below link . >> >>> >> >>> http://web.mit.edu/kerberos/krb5-current/doc/admin/pkinit.html >> >>> >> >>> 2. However, in order to use smartcard along with PAM and kerberos >> >>> authentication - i need to use the CAs given by our organization for the >> >>> smart card, for which we do not have the CA key. >> >> >> >> Your organization's CA can sign a certificate request created by the >> >> key on the card or by the KDC. The signed request then becomes the >> certificate. >> >> signed by the CA. You as the Kerberos admin don't need the CA's key. >> >> >> >>> >> >>> My question is : If we have to use the same CA for KDC, Client and >> >>> Smartcard certificates? or if we could mention 2 different CA's to KDC for >> >>> KDC,Client certificates and Smartcard certicate? >> >> >> >> You can use different CAs. The client will need a copy of the CA certificate >> >> that signed the KDC's certificate. The KDC needs a copy of the CA certificate >> >> used to sign the smart card certificate. (simplest case.) >> >> >> >>> >> >>> In that way, It would be helpful - If KDC could use a self-generated CA >> >>> certificate for the KDC and Client certificate, while it will use the >> >>> Smartcard CA certificate for user login authentication with smart card. >> >>> >> >>> Also, may i know how we kinit using smartcard - in order to debug if the >> >>> issue is with PAM login attempt or kerberos authentication. >> >>> >> >>> I would be happy to hear from you. >> >> >> >> FYI, Windows AD 2003 and above can be used as a KDC and it can do PKINIT. >> >> Windows 7 and above come come with all the software needed if you are >> >> using certain types of smart cards (HSPD-12 PIV) cards for example. >> >> >> >> Linux and Macs with Kerberos and PKINIT can use AD as the KDC. >> >> >> >> We use some smart cards with certificates signed by our windows >> >> enterprise CA, as well as government issued cards to login to Windows >> >> or Unix. >> >> >> >> What cards are you using? >> >> What code to manager the cards? >> >> What code to the cards? >> >> What card readers? >> >> >> >> >> >>> >> >>> Thank you >> >>> >> >>> Lohit >> >>> ________________________________________________ >> >>> Kerberos mailing list [email protected] >> >>> https://mailman.mit.edu/mailman/listinfo/kerberos >> >>> >> >> >> >> -- >> >> >> >> Douglas E. Engert <[email protected]> >> >> Argonne National Laboratory >> >> 9700 South Cass Avenue >> >> Argonne, Illinois 60439 >> >> (630) 252-5444 > > > > On Tuesday, February 26, 2013 5:45:24 PM UTC-5, Douglas E. Engert wrote: >> On 2/26/2013 3:39 PM, Lohit Valleru wrote: >> >>> Dear Community, >> >>> >> >>> I assume, i have mailed to the right community list for these kind of >> >>> questions. If i have mailed to the wrong location - may i please ask for >> >>> the respective mailing address. >> >>> >> >>> I am a system administrator for a high performance cluster, and I am >> >>> thinking of setting up a smartcard authentication with kerberos. >> >>> >> >>> I have already completed kerberos authentication implementation for users >> >>> of the cluster,through kinit and gssapi. >> >>> >> >>> These are the steps that i have followed to setup pkinit with smartcard. >> >>> >> >>> 1. I have created a CA to issue the CA certificates, CAkey and use those to >> >>> create the KDC certificates and Client certificaties as mentioned in the >> >>> below link . >> >>> >> >>> http://web.mit.edu/kerberos/krb5-current/doc/admin/pkinit.html >> >>> >> >>> 2. However, in order to use smartcard along with PAM and kerberos >> >>> authentication - i need to use the CAs given by our organization for the >> >>> smart card, for which we do not have the CA key. >> >> >> >> Your organization's CA can sign a certificate request created by the >> >> key on the card or by the KDC. The signed request then becomes the >> certificate. >> >> signed by the CA. You as the Kerberos admin don't need the CA's key. >> >> >> >>> >> >>> My question is : If we have to use the same CA for KDC, Client and >> >>> Smartcard certificates? or if we could mention 2 different CA's to KDC for >> >>> KDC,Client certificates and Smartcard certicate? >> >> >> >> You can use different CAs. The client will need a copy of the CA certificate >> >> that signed the KDC's certificate. The KDC needs a copy of the CA certificate >> >> used to sign the smart card certificate. (simplest case.) >> >> >> >>> >> >>> In that way, It would be helpful - If KDC could use a self-generated CA >> >>> certificate for the KDC and Client certificate, while it will use the >> >>> Smartcard CA certificate for user login authentication with smart card. >> >>> >> >>> Also, may i know how we kinit using smartcard - in order to debug if the >> >>> issue is with PAM login attempt or kerberos authentication. >> >>> >> >>> I would be happy to hear from you. >> >> >> >> FYI, Windows AD 2003 and above can be used as a KDC and it can do PKINIT. >> >> Windows 7 and above come come with all the software needed if you are >> >> using certain types of smart cards (HSPD-12 PIV) cards for example. >> >> >> >> Linux and Macs with Kerberos and PKINIT can use AD as the KDC. >> >> >> >> We use some smart cards with certificates signed by our windows >> >> enterprise CA, as well as government issued cards to login to Windows >> >> or Unix. >> >> >> >> What cards are you using? >> >> What code to manager the cards? >> >> What code to the cards? >> >> What card readers? >> >> >> >> >> >>> >> >>> Thank you >> >>> >> >>> Lohit >> >>> ________________________________________________ >> >>> Kerberos mailing list [email protected] >> >>> https://mailman.mit.edu/mailman/listinfo/kerberos >> >>> >> >> >> >> -- >> >> >> >> Douglas E. Engert <[email protected]> >> >> Argonne National Laboratory >> >> 9700 South Cass Avenue >> >> Argonne, Illinois 60439 >> >> (630) 252-5444 > > > > On Tuesday, February 26, 2013 5:45:24 PM UTC-5, Douglas E. Engert wrote: >> On 2/26/2013 3:39 PM, Lohit Valleru wrote: >> >>> Dear Community, >> >>> >> >>> I assume, i have mailed to the right community list for these kind of >> >>> questions. If i have mailed to the wrong location - may i please ask for >> >>> the respective mailing address. >> >>> >> >>> I am a system administrator for a high performance cluster, and I am >> >>> thinking of setting up a smartcard authentication with kerberos. >> >>> >> >>> I have already completed kerberos authentication implementation for users >> >>> of the cluster,through kinit and gssapi. >> >>> >> >>> These are the steps that i have followed to setup pkinit with smartcard. >> >>> >> >>> 1. I have created a CA to issue the CA certificates, CAkey and use those to >> >>> create the KDC certificates and Client certificaties as mentioned in the >> >>> below link . >> >>> >> >>> http://web.mit.edu/kerberos/krb5-current/doc/admin/pkinit.html >> >>> >> >>> 2. However, in order to use smartcard along with PAM and kerberos >> >>> authentication - i need to use the CAs given by our organization for the >> >>> smart card, for which we do not have the CA key. >> >> >> >> Your organization's CA can sign a certificate request created by the >> >> key on the card or by the KDC. The signed request then becomes the >> certificate. >> >> signed by the CA. You as the Kerberos admin don't need the CA's key. >> >> >> >>> >> >>> My question is : If we have to use the same CA for KDC, Client and >> >>> Smartcard certificates? or if we could mention 2 different CA's to KDC for >> >>> KDC,Client certificates and Smartcard certicate? >> >> >> >> You can use different CAs. The client will need a copy of the CA certificate >> >> that signed the KDC's certificate. The KDC needs a copy of the CA certificate >> >> used to sign the smart card certificate. (simplest case.) >> >> >> >>> >> >>> In that way, It would be helpful - If KDC could use a self-generated CA >> >>> certificate for the KDC and Client certificate, while it will use the >> >>> Smartcard CA certificate for user login authentication with smart card. >> >>> >> >>> Also, may i know how we kinit using smartcard - in order to debug if the >> >>> issue is with PAM login attempt or kerberos authentication. >> >>> >> >>> I would be happy to hear from you. >> >> >> >> FYI, Windows AD 2003 and above can be used as a KDC and it can do PKINIT. >> >> Windows 7 and above come come with all the software needed if you are >> >> using certain types of smart cards (HSPD-12 PIV) cards for example. >> >> >> >> Linux and Macs with Kerberos and PKINIT can use AD as the KDC. >> >> >> >> We use some smart cards with certificates signed by our windows >> >> enterprise CA, as well as government issued cards to login to Windows >> >> or Unix. >> >> >> >> What cards are you using? >> >> What code to manager the cards? >> >> What code to the cards? >> >> What card readers? >> >> >> >> >> >>> >> >>> Thank you >> >>> >> >>> Lohit >> >>> ________________________________________________ >> >>> Kerberos mailing list [email protected] >> >>> https://mailman.mit.edu/mailman/listinfo/kerberos >> >>> >> >> >> >> -- >> >> >> >> Douglas E. Engert <[email protected]> >> >> Argonne National Laboratory >> >> 9700 South Cass Avenue >> >> Argonne, Illinois 60439 >> >> (630) 252-5444 > > > ________________________________________________ > Kerberos mailing list [email protected] > https://mailman.mit.edu/mailman/listinfo/kerberos > . > -- Douglas E. Engert <[email protected]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
