Re: Elementary PKINIT questions (MIT Kerberos/Linux configuration)
On 28/3/23 09:24, Ken Hornstein wrote: You can specify the certificate exactly on the 'kinit' command line with the "-X X509_user_identity" option (this has the same format as the pkinit_identities option in krb5.conf). Now this option isn't supported for kadmin, but you can do: % kinit -X X509_user_identity=FILE:/tmp/foo.pem -S kadmin/admin jason/admin or % kinit -X X509_user_identity=FILE:/tmp/foo.pem -S kadmin/admin.host jason/admin Depending on the principal you are using for kadmind, and then you can use the "-c credential_cache" option to kadmin to use an existing credential cache. Thank you - that worked as described, once I gave kadmin the correct credentials cache. I have had success using a YubiKey 5 in PIV mode which also supports a bunch of other things like FIDO 2; I have no connection with Yubico other than as a user. Yubico provides a PKCS#11 module but in PIV mode you should be able to use any PKCS#11 module that supports PIV (this is very common). One advantage to a YubiKey is it is just USB and does not require a dedicated smartcard reader. Note that this is a lot of moving parts and probably will require a fair amount of fiddling. Yes, exactly. I'm contemplating Yubikeys, however, for this and other reasons. Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Elementary PKINIT questions (MIT Kerberos/Linux configuration)
>First problem: I have a second principal, jason/admin, for use with >kadmin. I've generated a certificate that can authenticate. However, now >that I have two certificates (one for jason and another for >jason/admin), it isn't clear how to configure the client to offer the >correct certificate to the kdc. If I specify both certificates on >pkinit_identities lines in the client's krb5.conf file, "jason" can log >in, but kadmin returns a "Client name mismatch while initializing kadmin >interface" error. My assumptions is that the wrong certificate was >offered to the KDC (i.e., not the jason/admin certificate). Specifying >the directory containing the certificates in pkinit_identities results >in finding two certificates where one is expected, with an error message >to that effect. The bottom line is you need to make only one certificate available to the PKINIT client code. This is kind of a corner case; you don't normally have a single Unix user with two valid certificates. But there are some options. You can specify the certificate exactly on the 'kinit' command line with the "-X X509_user_identity" option (this has the same format as the pkinit_identities option in krb5.conf). Now this option isn't supported for kadmin, but you can do: % kinit -X X509_user_identity=FILE:/tmp/foo.pem -S kadmin/admin jason/admin or % kinit -X X509_user_identity=FILE:/tmp/foo.pem -S kadmin/admin.host jason/admin Depending on the principal you are using for kadmind, and then you can use the "-c credential_cache" option to kadmin to use an existing credential cache. >Do I need to specify a PKINIT certificate matching rule, or is there >some other configuration that is required? I do not think a matching rule would help; it sounds like you have two distinct certificates but I cannot think of a generic match rule that would match one certificate but not another based on the requested principal. >Second problem: securing the client's private key. The Linux client has >a TPM 2.0 module, but I haven't found any documentation on how to >configure it for use with Kerberos, if indeed this is supported. >References would be welcome. The incredibly short answer here is that the only generic mechanism supported for hardware storage of private keys is a PKCS#11 module. A quick Google suggests that there are PKCS#11 modules which can interface with a TPM module. However, I have to caution you that when using a PKCS#11 module with Kerberos the hardware backed by the PKCS#11 module has to contain the certificate _and_ keys. There's not a way to say, "The cert is on this file and the private key is available in this module". (I COULD be wrong about this, but a quick glance at the source code suggests that I am correct). A very quick Google only shows the PKCS#11 module that interfaces with TPM storing private keys; it MAY support storing a certificate as well, but it may not. You're going to be kind of on the fringe here is what I'm trying to say. >The machine has a smartcard reader, so my other options would be to >purchase some compatible smartcards (after finding out what those are), >or a security key. In the latter case, I would probably choose a FIDO 2 >key with smartcard support. I would also caution you that the same issue applies as above; you need to make sure your smartcard (a) has a PKCS#11 module available (on Linux this probably means OpenSC) and (b) it supports storing certificates on the smartcard. I have had success using a YubiKey 5 in PIV mode which also supports a bunch of other things like FIDO 2; I have no connection with Yubico other than as a user. Yubico provides a PKCS#11 module but in PIV mode you should be able to use any PKCS#11 module that supports PIV (this is very common). One advantage to a YubiKey is it is just USB and does not require a dedicated smartcard reader. Note that this is a lot of moving parts and probably will require a fair amount of fiddling. --Ken Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Elementary PKINIT questions (MIT Kerberos/Linux configuration)
Dear kerberos community, I've set up a very small MIT Kerberos installation for my own use, with MIT Kerberos under Linux. In experimenting with the PKINIT configuration, I have essentially followed the MIT Kerberos documentation (using openssl to generate keys and certificates), and reached the point at which I can authenticate as principal "jason" without a password. (I also have ssd configured on my Linux client with sssd-kcm for caching and the PAM module for login.) First problem: I have a second principal, jason/admin, for use with kadmin. I've generated a certificate that can authenticate. However, now that I have two certificates (one for jason and another for jason/admin), it isn't clear how to configure the client to offer the correct certificate to the kdc. If I specify both certificates on pkinit_identities lines in the client's krb5.conf file, "jason" can log in, but kadmin returns a "Client name mismatch while initializing kadmin interface" error. My assumptions is that the wrong certificate was offered to the KDC (i.e., not the jason/admin certificate). Specifying the directory containing the certificates in pkinit_identities results in finding two certificates where one is expected, with an error message to that effect. Do I need to specify a PKINIT certificate matching rule, or is there some other configuration that is required? Second problem: securing the client's private key. The Linux client has a TPM 2.0 module, but I haven't found any documentation on how to configure it for use with Kerberos, if indeed this is supported. References would be welcome. The machine has a smartcard reader, so my other options would be to purchase some compatible smartcards (after finding out what those are), or a security key. In the latter case, I would probably choose a FIDO 2 key with smartcard support. As mentioned, this is simply for my own use/experimentation, so there's no urgency at all. Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Add preauth questions to kerberos responder context
I succeeded at the end. The problem was that a previous PKCS11 session was not closed before the PKINIT process tried to open a new one. 103: C_Initialize 2017-01-12 17:46:43.597 [in] pInitArgs = (nil) Returned: 401 CKR_CRYPTOKI_ALREADY_INITIALIZED C_Initialize: cryptoki already initialized can't open pkcs11 session 104: C_Finalize 2017-01-12 17:46:43.598 Returned: 0 CKR_OK pkinit_client_prep_questions: no questions to ask pkinit_client_prep_questions returning 0 pkinit_client_prep_questions: no questions to ask pkinit_client_prep_questions returning 0 questions_to_answer=password pkinit_client_process 0x7fffe409f1f0 0x7fffe409f7b0 0x7fffe40a1e70 0x7fffe40a1c20 processing KRB5_PADATA_PK_AS_REQ pkinit_client_profile 0x7fffe409f1f0 0x7fffe409f7b0 0x7fffe40a1e70 0x7fffe40a2538 pkinit_identity_prompt: 0x7fffe409f1f0 0x7fffe40a23f0 0x7fffe40a2290 If all the previous opened sessions are well closed and the KDC is configured to ask the client for a PKINIT preauthentication, we should get the following result : 111: C_CloseSession 2017-01-12 18:05:04.655 [in] hSession = 0xbabfcb7f Returned: 0 CKR_OK 112: C_Finalize 2017-01-12 18:05:04.655 Returned: 0 CKR_OK pkinit_client_prep_questions: asking question '{"PKCS11:module_name=/usr/local/lib/pkcs11-spy.so:slotid=1:token=CCC":0}' pkinit_client_prep_questions returning 0 pkinit_client_prep_questions: asking question '{"PKCS11:module_name=/usr/local/lib/pkcs11-spy.so:slotid=1:token=CCC":0}' pkinit_client_prep_questions returning 0 questions_to_answer=pkinit pkinit_client_process 0x7fffe4096090 0x7fffe4066cc0 0x7fffe4089760 0x7fffe40897f0 processing KRB5_PADATA_PK_AS_REQ pkinit_client_profile 0x7fffe4096090 0x7fffe4066cc0 0x7fffe4089760 0x7fffe4089f38 pkinit_identity_prompt: 0x7fffe4096090 0x7fffe4089df0 0x7fffe4089c70 Dorian Duc wrote > Hello, > > > I want to use "pkinit" preauth question to authenticate with kerberos. > > > But I'm unable to answer "pkinit" question because it's not available in > the list of questions returned by krb5_responder_list_questions(). Only > "password" is proposed. > > > How can I add "pkinit" or even "otp" in the list of preauth questions ? > > > Thank you > > Kerberos mailing list > Kerberos@ > https://mailman.mit.edu/mailman/listinfo/kerberos -- View this message in context: http://kerberos.996246.n3.nabble.com/Add-preauth-questions-to-kerberos-responder-context-tp46464p46574.html Sent from the Kerberos - General mailing list archive at Nabble.com. Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Add preauth questions to kerberos responder context
Hello, I want to use "pkinit" preauth question to authenticate with kerberos. But I'm unable to answer "pkinit" question because it's not available in the list of questions returned by krb5_responder_list_questions(). Only "password" is proposed. How can I add "pkinit" or even "otp" in the list of preauth questions ? Thank you ____ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: some questions about kerberos v5
On 11/07/2016 03:14 AM, 旺邑 wrote: >I had downloaded the source code of krb5-1.13.4 from your page. Then I > used the commands ''./configure'',"make" and "make check" to configure and > compile the source code. However, there was no executable file of the file > src/lib/crypto/crytpto_tests/vectors.c after the compiling. So, I had to look > for the compiling commands from the Makefiles. Fortunately, I had > successfully done this and got the executable file of vectors.c at last. But > when I execute the executable file(./vectors), I have got the error > "segmentation falt". So far, I have not work out this problem. I would > appreciate your time in reviewing my problem and if there is any additional > information you need, please contact me. We should probably remove that file; it isn't actually part of the test suite. Other test programs in that directory are used to verify RFC test vectors. Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
some questions about kerberos v5
Dear Professor, I am a college student in China and I am now studying Kerberos protocol. But during my experiment, I have encountered a problem which I'd like to discuss with you about. Here is my problem: I had downloaded the source code of krb5-1.13.4 from your page. Then I used the commands ''./configure'',"make" and "make check" to configure and compile the source code. However, there was no executable file of the file src/lib/crypto/crytpto_tests/vectors.c after the compiling. So, I had to look for the compiling commands from the Makefiles. Fortunately, I had successfully done this and got the executable file of vectors.c at last. But when I execute the executable file(./vectors), I have got the error "segmentation falt". So far, I have not work out this problem. I would appreciate your time in reviewing my problem and if there is any additional information you need, please contact me. Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Questions about Kerberos V5
houyuan <15606931...@163.com> writes: >I have a strange question here. I hope to get a solution. >I set the timing task to get the authentication information. > >but > > and KDC Server log It seems like you attached some images to your post, but our mailing list removes image attachments. If you could cut and paste the logs as text, that would help us to see what's going on. > so,Why update authentication information in 7:10:35, and the KDC service > receives the TGS request instead of the AS request. > And an exception occurs when the application is executed What application is this? Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Questions about Kerberos V5
Hi: I have a strange question here. I hope to get a solution. I set the timing task to get the authentication information. but and KDC Server log so,Why update authentication information in 7:10:35, and the KDC service receives the TGS request instead of the AS request. And an exception occurs when the application is executed Do you have solutions and suggestions? Thank you! Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Questions on Kerberos
Hi all, Can someone please guide me in understanding the use of the function gss_krb5_ccache_name? I have a user name and password for a specific user and want to generate a temporary ticket for the user (whcih i store in the memory) and then swicth the context to that ticket and then acquire the credentials for the user (using gss_acquire_cred call - which i can modify to handle memory based tickets). Thanks a lot for all the help in advance. Best Regards, Sayali Christopher D. Clausen [EMAIL PROTECTED] wrote: Joseph Kuan wrote: 1. I notice that some of the kerberos (windows authentication) packets have principal with dollar sign character at the end. Also the principal is not the user name, it is actually the hostname. What does it mean? Those are the principals for machine or computer accounts. 2. I am trying to measure the response time of windows login. For a windows login, can I assume the time taken from AS-REQ/REP to the first TGS-REQ/REP ? seems reasonable to me. -- Christopher D. Clausen [EMAIL PROTECTED] SysAdmin Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos - All new Yahoo! Mail The new Interface is stunning in its simplicity and ease of use. - PC Magazine Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Questions on Kerberos
Hi all, I am not sure whether this is right place for these questions. If so, I do apologise. I have been using ethereal to analysis the kerberos packets. 1. I notice that some of the kerberos (windows authentication) packets have principal with dollar sign character at the end. Also the principal is not the user name, it is actually the hostname. What does it mean? 2. I am trying to measure the response time of windows login. For a windows login, can I assume the time taken from AS-REQ/REP to the first TGS-REQ/REP ? Many thanks Joe ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept for the presence of viruses using SOPHOS. http://www.itheon.com ** Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Questions on Kerberos
Joseph Kuan [EMAIL PROTECTED] wrote: 1. I notice that some of the kerberos (windows authentication) packets have principal with dollar sign character at the end. Also the principal is not the user name, it is actually the hostname. What does it mean? Those are the principals for machine or computer accounts. 2. I am trying to measure the response time of windows login. For a windows login, can I assume the time taken from AS-REQ/REP to the first TGS-REQ/REP ? seems reasonable to me. CDC -- Christopher D. Clausen [EMAIL PROTECTED] SysAdmin Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Questions on kerberos (principal, service, renew command)
Hi all, I have the following questions by looking at the kerberos packets (Windows login) through ethereal: 1. There are several service names, such as host, ldap, LDAP, cifs, etc What is the difference between ldap and LDAP? What does service, host, do? 2. There are some TGS-REP with principal name, hostname$. What does this mean? 3. After a TGS-REQ renew request (KDCOption == 0x02), then a TGS-REP with kbrtgt. Then there is always another TGS-REQ and TGS-REP for kbrtgt service. Why is that? Many thanks Joe Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Questions regarding Kerberos and Active Directory and SQL Server
Hello all, I have some questions that I would appreciate getting some expert Kerberos assistance with. 1) Is SQL Server limited to DES encryption only? The reason I ask is that I have discovered empirically that the SQL Server service startup account needs to set the Active Directory property Use DES encryption types for this account. A possible explanation was found as follows: This flag [Use DES encryption types for this account] is only required for service accounts which can only handle DES. When a client makes a request for a service ticket for such service, using TGS-Exchange, the Win2K KDC generates a DES service ticket if this flag is set. If this information is true, it would appear that SQL Server can only handle DES encryption. 2) Why would I not receive an SSPI token back from SQL Server even if I successfully connect to SQL Server using Active Directory/Kerberos authentication? I have an application that requests mutual authentication using the Java GSS-API and no SSPI token is ever returned. We expect our application to receive an SSPI token back from SQL Server to complete the authentication process. This expectation is based on the API and the fact that the TDS specification implies this will occur. Any assistance that can be provided would be very helpful. Thanks! Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Questions regarding Kerberos and Active Directory and SQL Server
Sleepy wrote: Hello all, I have some questions that I would appreciate getting some expert Kerberos assistance with. 1) Is SQL Server limited to DES encryption only? The reason I ask is that I have discovered empirically that the SQL Server service startup account needs to set the Active Directory property Use DES encryption types for this account. A possible explanation was found as follows: This flag [Use DES encryption types for this account] is only required for service accounts which can only handle DES. When a client makes a request for a service ticket for such service, using TGS-Exchange, the Win2K KDC generates a DES service ticket if this flag is set. If this information is true, it would appear that SQL Server can only handle DES encryption. I don't know about MS SQL but the Java GSS-API only supports DES encryption. 2) Why would I not receive an SSPI token back from SQL Server even if I successfully connect to SQL Server using Active Directory/Kerberos authentication? I have an application that requests mutual authentication using the Java GSS-API and no SSPI token is ever returned. We expect our application to receive an SSPI token back from SQL Server to complete the authentication process. This expectation is based on the API and the fact that the TDS specification implies this will occur. The Java client will receive a ticket for use in authenticating to the MS SQL service account. This will be placed in the Java application's credential cache which is stored in a file. This will be obtained prior to the completion of the mutual authentication. What are you using to examine the exchange? Any assistance that can be provided would be very helpful. Thanks! Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
Some questions about kerberos...
Hi people, Could someone tell me - what is GSS_API? is it always used in kerberos? - what is IAKERB? - Is it possible to map kerberos in Extensible Authentification Protocol (EAP)? I haven't found simple docs on the web excepted some IETF RFCs and drafts... which are very difficult to understand for a beginner Thanks -- Ce message a ete poste via la plateforme Web club-Internet.fr This message has been posted by the Web platform club-Internet.fr http://forums.club-internet.fr/ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos