On Sun, Mar 10, 2013 at 07:24:54PM -0500, Douglas E. Engert wrote: > On 3/9/2013 11:48 AM, [email protected] wrote: > > Hello Douglas, > > > > Thank you for your reply. It gives me a hope to solve the ongoing issue. > > > > Please let me give an explanation of the environment that i am trying to > > use smart cards. > > > > I would like to use both Linux(centos) and Windows as client machines > > I have been talking to another individual about PKINIT with GDM on CentOS. > It is not clear if the CentOS pam_krb5 supports PKINIT or not. I do > not have a CentOS system to test. (Maybe someone else on the list knows > if the CentOS pam_krb5 can do PKINIT.)
Yes, it can. The short version is that you want to get kinit working first - this means configuring krb5.conf with the usual pkinit_anchors and, if needed, pkinit_pool settings. If the KDC's certificate isn't quite what the client module is expecting (for example, if the KDC is an AD domain controller using a domain controller certificate issued by ADCS), using pkinit_kdc_hostname (set to the domain controller's idea of what its hostname is) and/or pkinit_eku_checking (set to "kpServerAuth") may also be necessary. And if the PKINIT module (in the krb5-pkinit-openssl binary package in CentOS 6) can't select exactly one certificate from the client's smart card, you'll also need to set pkinit_cert_match to a value that'll instruct PKINIT on how to do so (depending on the PIV card, we sometimes have to go with "<KU>digitalSignature<EKU>msScLogin"). The last thing you'd need to set is the location of the client's credentials. My personal preference is to only set that when you intend to use PKINIT, for example by passing the location in in the form of an option to kinit: kinit -X X509_user_identity=PKCS11:my_pkcs11_module.so The pam_krb5 that comes with CentOS can take similar settings via the module's "preauth_options" option, so you'd want to add this to the relevant "auth" line in the right PAM configuration file (probably /etc/pam.d/smartcard-auth): preauth_options=X509_user_identity=PKCS11:my_pkcs11_module.so If there's no other module being invoked before pam_krb5 that's asking for a password, you'll want to suppress pam_krb5's default behavior of prompting for a password first by also giving the module its "no_initial_prompt" option. If pam_pkcs11's invoked first, or some other module is but you're still certain that the other module is setting a PAM_AUTHTOK value that's a smart card PIN and not a password, you can force pam_krb5 to just supply that value when libkrb5 prompts for something, rather than asking the application to ask the user, by specifying the module's "no_subsequent_prompt" option. HTH, Nalin ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
