Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Help in incorporating PKINIT
9 views
Skip to first unread message
sasikumar bodathula
May 21, 2013, 3:19:23 AM5/21/13
to kerb...@mit.edu
Hi,
Starting new e-mail since felt that old e-mail was containing too much info (not clear one).
I am using the MIT kerberos client API's to develop keberos client for a system.
1. Use custom named conf file for storing the realm, libdefaults etc this file once information is written is set to the
environment using KRB5_CONF.
2. Now incorporating the PKINIT support into our kerberos client. Following steps were followed.
a) Created certificated as mentioned in the MIT site
b) Following entries where placed in the conf file
realm.conf
[realms]
example.com = {
kdc = <ipaddress>:88
pkinit_anchors = FILE:/<path>/certif/cacert.pem
pkinit_identity = FILE:/<path>/certif/client.pem,/<path>/certif/clientkey.pem
}
Corresponding API are invoked krb5_get_init_creds_opt_alloc:- For credential allocation
krb5_get_init_creds_opt_set_pa:- For setting X509_anchors and FILE:/<path>/cert/cacert.pem
krb5_get_init_creds_opt_set_pa:- For setting X509_user_identity and FILE:/<path>/certif/client.pem,/<path>/certif/clientkey.pem
krb5_get_init_creds_opt_set_pa:- For setting "flag_RSA_PROTOCOL", "yes"
Now during testing
1. AS_REQ goes from client to KDC, where KDC replies with KRB2KDB_ERR_PREAUTH_REQUIRED
2. The next request AS_REQ from client to KDC goes with padata as PA-ENC-TIMESTAMP (Not PA-DASS with certificate value as expected)
When same was tested with the kinit command line the second AS_REQ carry padata as PA-DASS with certificate values. Please guide me if I am missing something in the API usage?
Best Regards,
B.Sasikumar.
Starting new e-mail since felt that old e-mail was containing too much info (not clear one).
I am using the MIT kerberos client API's to develop keberos client for a system.
1. Use custom named conf file for storing the realm, libdefaults etc this file once information is written is set to the
environment using KRB5_CONF.
2. Now incorporating the PKINIT support into our kerberos client. Following steps were followed.
a) Created certificated as mentioned in the MIT site
b) Following entries where placed in the conf file
realm.conf
[realms]
example.com = {
kdc = <ipaddress>:88
pkinit_anchors = FILE:/<path>/certif/cacert.pem
pkinit_identity = FILE:/<path>/certif/client.pem,/<path>/certif/clientkey.pem
}
Corresponding API are invoked krb5_get_init_creds_opt_alloc:- For credential allocation
krb5_get_init_creds_opt_set_pa:- For setting X509_anchors and FILE:/<path>/cert/cacert.pem
krb5_get_init_creds_opt_set_pa:- For setting X509_user_identity and FILE:/<path>/certif/client.pem,/<path>/certif/clientkey.pem
krb5_get_init_creds_opt_set_pa:- For setting "flag_RSA_PROTOCOL", "yes"
Now during testing
1. AS_REQ goes from client to KDC, where KDC replies with KRB2KDB_ERR_PREAUTH_REQUIRED
2. The next request AS_REQ from client to KDC goes with padata as PA-ENC-TIMESTAMP (Not PA-DASS with certificate value as expected)
When same was tested with the kinit command line the second AS_REQ carry padata as PA-DASS with certificate values. Please guide me if I am missing something in the API usage?
Best Regards,
B.Sasikumar.
Greg Hudson
May 21, 2013, 10:58:31 AM5/21/13
to sasikumar bodathula, kerb...@mit.edu
On 05/21/2013 03:19 AM, sasikumar bodathula wrote:
> 1. AS_REQ goes from client to KDC, where KDC replies with KRB2KDB_ERR_PREAUTH_REQUIRED
> 2. The next request AS_REQ from client to KDC goes with padata as PA-ENC-TIMESTAMP (Not PA-DASS with certificate value as expected)
Wireshark has the wrong name for padata type 16; it should be
> 1. AS_REQ goes from client to KDC, where KDC replies with KRB2KDB_ERR_PREAUTH_REQUIRED
> 2. The next request AS_REQ from client to KDC goes with padata as PA-ENC-TIMESTAMP (Not PA-DASS with certificate value as expected)
PA-PK-AS_REQ. But that isn't your problem.
> Please guide me if I am missing something in the API usage?
version of MIT krb5, you can get some additional information from the
library by setting the KRB5_TRACE environment variable to point to a
file, running your program, and then examining the file. You can get
even more information by rebuilding the PKINIT sources with -DDEBUG, but
that takes a lot more work.
0 new messages