Hi,
Starting new e-mail since felt that old e-mail was containing too much
info (not clear one).
I am using the MIT kerberos client API's to develop keberos client for a system.
1. Use custom named conf file for storing the realm, libdefaults etc this file
once information is written is set to the
environment using KRB5_CONF.
2. Now incorporating the PKINIT support into our kerberos client. Following
steps were followed.
a) Created certificated as mentioned in the MIT site
b) Following entries where placed in the conf file
realm.conf
[realms]
example.com = {
kdc = <ipaddress>:88
pkinit_anchors = FILE:/<path>/certif/cacert.pem
pkinit_identity =
FILE:/<path>/certif/client.pem,/<path>/certif/clientkey.pem
}
Corresponding API are invoked krb5_get_init_creds_opt_alloc:- For
credential allocation
krb5_get_init_creds_opt_set_pa:- For setting X509_anchors and
FILE:/<path>/cert/cacert.pem
krb5_get_init_creds_opt_set_pa:- For setting X509_user_identity and
FILE:/<path>/certif/client.pem,/<path>/certif/clientkey.pem
krb5_get_init_creds_opt_set_pa:- For setting "flag_RSA_PROTOCOL", "yes"
Now during testing
1. AS_REQ goes from client to KDC, where KDC replies with
KRB2KDB_ERR_PREAUTH_REQUIRED
2. The next request AS_REQ from client to KDC goes with padata as
PA-ENC-TIMESTAMP (Not PA-DASS with certificate value as expected)
When same was tested with the kinit command line the second AS_REQ carry padata
as PA-DASS with certificate values. Please guide me if I am missing something
in the API usage?
Best Regards,
B.Sasikumar.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
