Hi all,
I am implementing PKINIT, but i am not getting PA-DASS, PA-PK-AS-REQ,
PA-PK-AS-REP fields in the reply( KRB5KDC_ERR_PREAUTH_REQUIRED) from KDC.
Its asking password to authenticate and sending encrypted time-stamp in the
second AS_REQ to KDC, but i want to use certificate based authentication. So
the fields PA-DASS, PA-PK-AS-REQ, PA-PK-AS-REP are needed in the reply(
KRB5KDC_ERR_PREAUTH_REQUIRED) from KDC. My KDC's krb5.conf and kdc.conf are
as follows:
****************************krb5.conf************************************
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
ticket_lifetime = 24000
default_realm = GLOBALEDGESOFT.COM
dns_lookup_realm = false
dns_lookup_kdc = false
pkinit_anchors = DIR:/ca/
GLOBALEDGESOFT.COM={
pkinit_require_eku = true
pkinit_require_krbtgt_otherName = true
pkinit_require_hostname_match = true
}
[realms]
GLOBALEDGESOFT.COM = {
kdc = 172.16.10.211
admin_server = 172.16.10.211
default_domain = globaledgesoft.com
}
[domain_realm]
.globaledgesoft.com = GLOBALEDGESOFT.COM
globaledgesoft.com = GLOBALEDGESOFT.COM
[kdc]
profile = /etc/kdc.conf
pkinit_identity = FILE:/kdc/kdc.crt,/kdc/kdc.key
require-preauth = yes
[kadmin]
require-preauth = yes
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
****************************************************************************
***********************kdc.conf*******************************************
[kdcdefaults]
kdc_ports = 750,88
pkinit_anchors = DIR:/ca/
pkinit_identity = DIR:/kdc/
[realms]
GLOBALEDGESOFT.COM = {
database_name = /usr/local/var/krb5kdc/principal
admin_keytab = FILE:/usr/local/var/krb5kdc/kadm5.keytab
acl_file = /usr/local/var/krb5kdc/kadm5.acl
key_stash_file = /usr/local/var/krb5kdc/.
k5.GLOBALEDGESOFT.COM
kdc_ports = 750,88
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
pkinit_identity = FILE:/client/client.crt,/client/client.key
pkinit_anchors = DIR:/ca/
default_principal_expiration = +preauth, -pwservice
}
[kdc]
require-preauth = yes
*************************************************************************
I have generated the certificates using openssl:
/ca contains ca.crt ca.csr ca.key
/kdc contains kdc.crt kdc.csr kdc.key
/client contains client.crt client.csr client.key
*************************************************************************
I have not used any intermediate certificates, so i have not included
PKINIT_POOL and PKINIT_REVOKE in the above kdc.conf files. kdc.crt and
client.crt are signed by ca.crt. ca.crt i have generated as follows:
************* CA certificates ***********/
** openssl genrsa -out ca.key 2048
** openssl req -new -key ca.key -out ca.csr
** openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt
**
** at the end of this i have ca.crt and ca.key which is self signed
**
** /************* END of CA crt **************/
*
Plz kindly check the above kdc.conf, krb5.conf files and guide me what are
modifications needed so as to get PA-DASS, PA-PK-AS-REQ, PA-PK-AS-REP fields
in the reply( KRB5KDC_ERR_PREAUTH_REQUIRED ) from KDC.
Regards,
Vinay
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
