Reg: pkinit with smartcard on kerberos V5

[Lohit Valleru]

Dear Community,

I assume, i have mailed to the right community list for these kind of
questions. If i have mailed to the wrong location - may i please ask for
the respective mailing address.

I am a system administrator for a high performance cluster, and I am
thinking of setting up a smartcard authentication with kerberos.

I have already completed kerberos authentication implementation for users
of the cluster,through kinit and gssapi.

These are the steps that i have followed to setup pkinit with smartcard.

1. I have created a CA to issue the CA certificates, CAkey and use those to
create the KDC certificates and Client certificaties as mentioned in the
below link .

http://web.mit.edu/kerberos/krb5-current/doc/admin/pkinit.html

2. However, in order to use smartcard along with PAM and kerberos
authentication - i need to use the CAs given by our organization for the
smart card, for which we do not have the CA key.

My question is : If we have to use the same CA for KDC, Client and
Smartcard certificates? or if we could mention 2 different CA's to KDC for
KDC,Client certificates and Smartcard certicate?

In that way, It would be helpful - If KDC could use a self-generated CA
certificate for the KDC and Client certificate, while it will use the
Smartcard CA certificate for user login authentication with smart card.

Also, may i know how we kinit using smartcard - in order to debug if the
issue is with PAM login attempt or kerberos authentication.

I would be happy to hear from you.

Thank you

Lohit

[Douglas E. Engert]

On 2/26/2013 3:39 PM, Lohit Valleru wrote:
> Dear Community,
>
> I assume, i have mailed to the right community list for these kind of
> questions. If i have mailed to the wrong location - may i please ask for
> the respective mailing address.
>
> I am a system administrator for a high performance cluster, and I am
> thinking of setting up a smartcard authentication with kerberos.
>
> I have already completed kerberos authentication implementation for users
> of the cluster,through kinit and gssapi.
>
> These are the steps that i have followed to setup pkinit with smartcard.
>
> 1. I have created a CA to issue the CA certificates, CAkey and use those to
> create the KDC certificates and Client certificaties as mentioned in the
> below link .
>
> http://web.mit.edu/kerberos/krb5-current/doc/admin/pkinit.html
>
> 2. However, in order to use smartcard along with PAM and kerberos
> authentication - i need to use the CAs given by our organization for the
> smart card, for which we do not have the CA key.

Your organization's CA can sign a certificate request created by the
key on the card or by the KDC. The signed request then becomes the certificate.
signed by the CA. You as the Kerberos admin don't need the CA's key.

>
> My question is : If we have to use the same CA for KDC, Client and
> Smartcard certificates? or if we could mention 2 different CA's to KDC for
> KDC,Client certificates and Smartcard certicate?

You can use different CAs. The client will need a copy of the CA certificate
that signed the KDC's certificate. The KDC needs a copy of the CA certificate
used to sign the smart card certificate. (simplest case.)

>
> In that way, It would be helpful - If KDC could use a self-generated CA
> certificate for the KDC and Client certificate, while it will use the
> Smartcard CA certificate for user login authentication with smart card.
>
> Also, may i know how we kinit using smartcard - in order to debug if the
> issue is with PAM login attempt or kerberos authentication.
>
> I would be happy to hear from you.

FYI, Windows AD 2003 and above can be used as a KDC and it can do PKINIT.
Windows 7 and above come come with all the software needed if you are
using certain types of smart cards (HSPD-12 PIV) cards for example.

Linux and Macs with Kerberos and PKINIT can use AD as the KDC.

We use some smart cards with certificates signed by our windows
enterprise CA, as well as government issued cards to login to Windows
or Unix.

What cards are you using?
What code to manager the cards?
What code to the cards?
What card readers?


>
> Thank you
>
> Lohit
> ________________________________________________
> Kerberos mailing list Kerb...@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>

--

Douglas E. Engert <DEEn...@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444

[loh...@gmail.com]

Hello Douglas,

Thank you for your reply. It gives me a hope to solve the ongoing issue.

Please let me give an explanation of the environment that i am trying to use smart cards.

I would like to use both Linux(centos) and Windows as client machines

However, only Linux( centos) is used as our server operating systems. Centos is a Red hat linux variant.

I already have a full configured working setup of : OpenLDAP, GSSAPI, and Kerberos setup as the User authorization and authentication mechanism with windows and linux clients.
OpenLDAP repository is used as a principal database for Kerberos, so OpenLDAP(389-directory server) is used for authorization and Kerberos is used for authentication.

Users can login using password kerberos authentication with ssh and they will receive kerberos tickets with the current configuration.

However, i would like to get rid of passwords and use PIV card pkinit authentication with kerberos instead of using passwords.

I understand that AD and windows have a good implementation of pkinit but i do want to use AD for KDC or for directory service.


I have tried configuring KDC and clients with pkinit for client console login.

I would just want the users to get kerberos tickets when they login to Linux client console.

Initially - I have tried PAM authentication for smartcard and I was successful in using Smartcard CA for login using my smart card pin. So i can login using smartcard to all linux machines. However i also would want to get kerberos tickets once i login.

This is where PAM_krb5 and krb5.conf comes into the picture, and i have configured those too with respect to the pkinit configuration.

Now when i try to login ( after PAM is configured to use kerberos), i do get a prompt for entering my pin , but after i enter my pin - Kerberos still cannot authenticate me, with logs mentioning that :

" Decrypt integrity check failed "

I have searched the forums, and i understand that the above log message means that, KDC is not able to decrypt either because the password is wrong or it doesnt support the encryption used.

I am confused that, if PAM authentication can decrypt and allow me to login using the SMART card CA . Why is that KDC is not able to decrypt.

I could be that i did not configure the krb5.conf accurately.

If i can use kinit to initiate pkinit with smart card, i would then able to debug if this issue is related to kerberos only or pam and kerberos.

Please do help me with the respective kerberos configuration for smartcard.

MY smartcard info is as below :

Model : ID-One Cosmo 64 v5.2D Fast ATR with PIV application SDK

I do not know the code used inside the smartcard.

its uses signature algorithm: sha256rsa


Also please do find my comments as below .

Thank you for your help, and I would be happy to hear from you.

Regards,

Lohit

On Tuesday, February 26, 2013 5:45:24 PM UTC-5, Douglas E. Engert wrote:
> On 2/26/2013 3:39 PM, Lohit Valleru wrote:
>
> > Dear Community,
>
> >
>
> > I assume, i have mailed to the right community list for these kind of
>
> > questions. If i have mailed to the wrong location - may i please ask for
>
> > the respective mailing address.
>
> >
>
> > I am a system administrator for a high performance cluster, and I am
>
> > thinking of setting up a smartcard authentication with kerberos.
>
> >
>
> > I have already completed kerberos authentication implementation for users
>
> > of the cluster,through kinit and gssapi.
>
> >
>
> > These are the steps that i have followed to setup pkinit with smartcard.
>
> >
>
> > 1. I have created a CA to issue the CA certificates, CAkey and use those to
>
> > create the KDC certificates and Client certificaties as mentioned in the
>
> > below link .
>
> >
>
> > http://web.mit.edu/kerberos/krb5-current/doc/admin/pkinit.html
>
> >
>
> > 2. However, in order to use smartcard along with PAM and kerberos
>
> > authentication - i need to use the CAs given by our organization for the
>
> > smart card, for which we do not have the CA key.
>
>
>
> Your organization's CA can sign a certificate request created by the
>
> key on the card or by the KDC. The signed request then becomes the certificate.
>
> signed by the CA. You as the Kerberos admin don't need the CA's key.

I had asked the above question, assuming if we have to use the SMART card CA to create the KDC certificate, for which i would have to send the KDC certificate request to the organization's CA. However I would like to keep a separate CA for the KDC, and since we can use different CA's - that solves the above issue.

>
>
>
> >
>
> > My question is : If we have to use the same CA for KDC, Client and
>
> > Smartcard certificates? or if we could mention 2 different CA's to KDC for
>
> > KDC,Client certificates and Smartcard certicate?
>
>
>
> You can use different CAs. The client will need a copy of the CA certificate
>
> that signed the KDC's certificate. The KDC needs a copy of the CA certificate
>
> used to sign the smart card certificate. (simplest case.)
>

I do have the CA used to create the KDC, and also the CA used for the certificate on the SMART/PIV card. I have also configured KDC to use both CA's under a directory. However, KDC still gives me the error : " Decrypt Integrity check failed".

[loh...@gmail.com]

Also - I use activclient smartcard readers and they are acceptable for linux systems without any issue.

[loh...@gmail.com]

> On 2/26/2013 3:39 PM, Lohit Valleru wrote:
>
> > Dear Community,
>
> >
>
> > I assume, i have mailed to the right community list for these kind of
>
> > questions. If i have mailed to the wrong location - may i please ask for
>
> > the respective mailing address.
>
> >
>
> > I am a system administrator for a high performance cluster, and I am
>
> > thinking of setting up a smartcard authentication with kerberos.
>
> >
>
> > I have already completed kerberos authentication implementation for users
>
> > of the cluster,through kinit and gssapi.
>
> >
>
> > These are the steps that i have followed to setup pkinit with smartcard.
>
> >
>
> > 1. I have created a CA to issue the CA certificates, CAkey and use those to
>
> > create the KDC certificates and Client certificaties as mentioned in the
>
> > below link .
>
> >
>
> > http://web.mit.edu/kerberos/krb5-current/doc/admin/pkinit.html
>
> >
>
> > 2. However, in order to use smartcard along with PAM and kerberos
>
> > authentication - i need to use the CAs given by our organization for the
>
> > smart card, for which we do not have the CA key.
>
>
>
> Your organization's CA can sign a certificate request created by the
>
> key on the card or by the KDC. The signed request then becomes the certificate.
>
> signed by the CA. You as the Kerberos admin don't need the CA's key.

I had asked the above question, assuming if we have to use the SMART card CA to create the KDC certificate, for which i would have to send the KDC certificate request to the organization's CA. However I would like to keep a separate CA for the KDC, and since we can use different CA's - that solves the above issue.


>
>
>
> >
>

> > My question is : If we have to use the same CA for KDC, Client and
>
> > Smartcard certificates? or if we could mention 2 different CA's to KDC for
>
> > KDC,Client certificates and Smartcard certicate?
>
>
>
> You can use different CAs. The client will need a copy of the CA certificate
>
> that signed the KDC's certificate. The KDC needs a copy of the CA certificate
>
> used to sign the smart card certificate. (simplest case.)
>

I do have the CA used to create the KDC, and also the CA used for the certificate on the SMART/PIV card. I have also configured KDC to use both CA's under a directory. However, KDC still gives me the error : " Decrypt Integrity check failed".



>
> >
>

On Tuesday, February 26, 2013 5:45:24 PM UTC-5, Douglas E. Engert wrote:

On Tuesday, February 26, 2013 5:45:24 PM UTC-5, Douglas E. Engert wrote:

On Tuesday, February 26, 2013 5:45:24 PM UTC-5, Douglas E. Engert wrote:

On Tuesday, February 26, 2013 5:45:24 PM UTC-5, Douglas E. Engert wrote:

[loh...@gmail.com]

Also - I use activclient smartcard readers and they are acceptable for linux systems without any issue.


On Saturday, March 9, 2013 12:48:23 PM UTC-5, loh...@gmail.com wrote:

On Saturday, March 9, 2013 12:48:23 PM UTC-5, loh...@gmail.com wrote:

[lohitv9]

Hello Douglas,

*" Decrypt integrity check failed " *

I have searched the forums, and i understand that the above log message
means that, KDC is not able to decrypt either because the password is wrong
or it doesnt support the encryption used.

I am confused that, if PAM authentication can decrypt and allow me to login
using the SMART card CA . Why is that KDC is not able to decrypt.

I could be that i did not configure the krb5.conf accurately.

If i can use kinit to initiate pkinit with smart card, i would then able to
debug if this issue is related to kerberos only or pam and kerberos.

Please do help me with the respective kerberos configuration for smartcard.

MY smartcard info is as below :

Model : ID-One Cosmo 64 v5.2D Fast ATR with PIV application SDK

I do not know the code used inside the smartcard.

its uses signature algorithm: sha256rsa.

I use activclient card readers, and they function properly within a linux
environment.

Please do let me know, if i have to provide any more information on the
SMART card itself , or the certificates residing inside the smart card.

-------------------------------------------------------------------------------------------------------

> Douglas E. Engert <DEEn...@anl.gov>

>
> Argonne National Laboratory
>
> 9700 South Cass Avenue
>
> Argonne, Illinois 60439
>
> (630) 252-5444

--
View this message in context: http://kerberos.996246.n3.nabble.com/Reg-pkinit-with-smartcard-on-kerberos-V5-tp36617p36692.html
Sent from the Kerberos - General mailing list archive at Nabble.com.

[Douglas E. Engert]

On 3/9/2013 11:48 AM, loh...@gmail.com wrote:
> Hello Douglas,
>
> Thank you for your reply. It gives me a hope to solve the ongoing issue.
>
> Please let me give an explanation of the environment that i am trying to use smart cards.
>
> I would like to use both Linux(centos) and Windows as client machines

I have been talking to another individual about PKINIT with GDM on CentOS.
It is not clear if the CentOS pam_krb5 supports PKINIT or not. I do
not have a CentOS system to test. (Maybe someone else on the list knows
if the CentOS pam_krb5 can do PKINIT.)

You say below that you can logon to the system with the smart card,
but that may be a local logon to the machine done with the pam_pkcs11.so
module, not with the pam_krb5. Check the pam configuration files.

>
> However, only Linux( centos) is used as our server operating systems. Centos is a Red hat linux variant.
>
> I already have a full configured working setup of : OpenLDAP, GSSAPI, and Kerberos setup as the User authorization and authentication mechanism with windows and linux clients.
> OpenLDAP repository is used as a principal database for Kerberos, so OpenLDAP(389-directory server) is used for authorization and Kerberos is used for authentication.
>
> Users can login using password kerberos authentication with ssh and they will receive kerberos tickets with the current configuration.
>
> However, i would like to get rid of passwords and use PIV card pkinit authentication with kerberos instead of using passwords.
>
> I understand that AD and windows have a good implementation of pkinit but i do want to use AD for KDC or for directory service.
>

Yes, so if you wish t use AD as the KDC, with smartcard,
you should make sure Windows smartcard login works first.
Windows 7 has all the PCSC and PIV drivers built in, so there
is no extra code.

>
> I have tried configuring KDC and clients with pkinit for client console login.
>
> I would just want the users to get kerberos tickets when they login to Linux client console.
>
> Initially - I have tried PAM authentication for smartcard and I was successful in using Smartcard CA for login using my smart card pin. So i can login using smartcard to all linux machines. However i also would want to get kerberos tickets once i login.
>
> This is where PAM_krb5 and krb5.conf comes into the picture, and i have configured those too with respect to the pkinit configuration.
>

There are many implementations of pam_krb5 based on different code bases.
I have had good success using the Debian version on Solaris and Ubuntu
that comes with this verision.)

http://www.eyrie.org/~eagle/software/pam-krb5/

If the CentOS pam-krb5 does not support PKINIT, you may want to try
the above version. (Or try running Ubuntu or Debian OS as a test.)

> Now when i try to login ( after PAM is configured to use kerberos), i do get a prompt for entering my pin , but after i enter my pin - Kerberos still cannot authenticate me, with logs mentioning that :
>

The PIN prompt may be from pam_pkcs11.so, not the pam_krb5.

> " Decrypt integrity check failed"
>

This usually means the password is not valid, or a keytab does not match the the KDC's
version.

> I have searched the forums, and i understand that the above log message means that, KDC is not able to decrypt either because the password is wrong or it doesnt support the encryption used.
>
> I am confused that, if PAM authentication can decrypt and allow me to login using the SMART card CA . Why is that KDC is not able to decrypt.
>

The login may be from the pam_pkcs11.so

All pam modules accept a debug option to write debug info
to syslog. You may want to add the debug option to the pam_pkcs11.so and pam_krb5.so
lines in the pam config files.

Wireshark network traces can also help, as it can show a lot of the
Kerberos packets.

> I could be that i did not configure the krb5.conf accurately.
>
> If i can use kinit to initiate pkinit with smart card, i would then able to debug if this issue is related to kerberos only or pam and kerberos.
>

Yes kinit can use PKINIT, even if the pam_krb5 can not.

> Please do help me with the respective kerberos configuration for smartcard.
>
> MY smartcard info is as below :
>
> Model : ID-One Cosmo 64 v5.2D Fast ATR with PIV application SDK
>

I am assuming that the card was issued to you by some government CA.

> I do not know the code used inside the smartcard.
>
> its uses signature algorithm: sha256rsa
>
>
> Also please do find my comments as below .
>
> Thank you for your help, and I would be happy to hear from you.
>
> Regards,
>
> Lohit
>
>

I am out of the office all next week and may not respond quickly.

> .

[Nalin Dahyabhai]

On Sun, Mar 10, 2013 at 07:24:54PM -0500, Douglas E. Engert wrote:
> On 3/9/2013 11:48 AM, loh...@gmail.com wrote:

> > Hello Douglas,
> >
> > Thank you for your reply. It gives me a hope to solve the ongoing issue.
> >
> > Please let me give an explanation of the environment that i am trying to use smart cards.
> >
> > I would like to use both Linux(centos) and Windows as client machines
>

> I have been talking to another individual about PKINIT with GDM on CentOS.
> It is not clear if the CentOS pam_krb5 supports PKINIT or not. I do
> not have a CentOS system to test. (Maybe someone else on the list knows
> if the CentOS pam_krb5 can do PKINIT.)

Yes, it can.

The short version is that you want to get kinit working first - this
means configuring krb5.conf with the usual pkinit_anchors and, if
needed, pkinit_pool settings.

If the KDC's certificate isn't quite what the client module is expecting
(for example, if the KDC is an AD domain controller using a domain
controller certificate issued by ADCS), using pkinit_kdc_hostname (set
to the domain controller's idea of what its hostname is) and/or
pkinit_eku_checking (set to "kpServerAuth") may also be necessary.

And if the PKINIT module (in the krb5-pkinit-openssl binary package in
CentOS 6) can't select exactly one certificate from the client's smart
card, you'll also need to set pkinit_cert_match to a value that'll
instruct PKINIT on how to do so (depending on the PIV card, we sometimes
have to go with "<KU>digitalSignature<EKU>msScLogin").

The last thing you'd need to set is the location of the client's
credentials. My personal preference is to only set that when you intend
to use PKINIT, for example by passing the location in in the form of an
option to kinit:
kinit -X X509_user_identity=PKCS11:my_pkcs11_module.so

The pam_krb5 that comes with CentOS can take similar settings via the
module's "preauth_options" option, so you'd want to add this to the
relevant "auth" line in the right PAM configuration file (probably
/etc/pam.d/smartcard-auth):
preauth_options=X509_user_identity=PKCS11:my_pkcs11_module.so

If there's no other module being invoked before pam_krb5 that's asking
for a password, you'll want to suppress pam_krb5's default behavior of
prompting for a password first by also giving the module its
"no_initial_prompt" option.

If pam_pkcs11's invoked first, or some other module is but you're still
certain that the other module is setting a PAM_AUTHTOK value that's a
smart card PIN and not a password, you can force pam_krb5 to just supply
that value when libkrb5 prompts for something, rather than asking the
application to ask the user, by specifying the module's
"no_subsequent_prompt" option.

HTH,

Nalin