Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Re: Need help with PKINIT
5 views
Skip to first unread message
sasikumar bodathula
May 16, 2013, 10:50:20 PM5/16/13
to kerb...@mit.edu
HI,
Adding more information to the previous e-mail thread.
In the conf file following information is stored.
pkinit_anchors = FILE:<path>/cacert.pem
pkinit_identity = FILE:<path>/client.pem,<path>/clientkey.pem
When this was tested and same was captured in the wireshark it has AS_REQ messages not PA-PK-AS-REQ
Question once these path was set as value to the "krb5_get_init_creds_opt_set_pa" will this api pick the certificate from the mentioned path and communicate with the KDC?
Just for testing the client code can i mention KDC which in not reachable so i can see the clients PA-PK-AS-REQ for testing is this the correct way? Before proceeding to the end-to-end certificate based authentication with KDC.
Best Regards,
B.Sasikumar.
From: "sasikumar bodathula" <sasik...@rediffmail.com>
Sent: Thu, 16 May 2013 16:53:11
To: "kerb...@mit.edu" <kerb...@mit.edu>
Subject: Re: Need help with PKINIT
Hi,
&nbsp; In our case we use the api's to control the client action.
Setup :-
&nbsp;&nbsp; we maintain the conf files according to the realm names.
1. In normal scenario we call krb5_get_init_creds_opt_alloc and krb5_get_init_creds_opt_set_forwardable to set the kerberos flags
2. Similarly called
&nbsp; krb5_get_init_creds_opt_set_pa(k5-&gt;ctx, options, "X509_anchors", "FILE:<path>/cacert.pem" );
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; krb5_get_init_creds_opt_set_pa(k5-&gt;ctx, options, "X509_user_identity", "FILE:<path>/client.pem,<path>/clientkey.pem");
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; krb5_get_init_creds_opt_set_pa(k5-&gt;ctx, options, "flag_RSA_PROTOCOL", "yes");
The above data was stored in the conf file.
My question is what ever i am doing is the correct procedure? Please do guide me in this.
Best Regards,
B.Sasikumar.
From: Greg Hudson &lt;');">ghu...@MIT.EDU>;
Sent: Thu, 09 May 2013 21:25:53
To: sasikumar bodathula &lt;sasik...@rediffmail.com&gt;
Cc: "kerb...@mit.edu" &lt;');">kerb...@mit.edu>;
Subject: Re: Need help with PKINIT
On 05/09/2013 07:18 AM, sasikumar bodathula wrote:
&gt; I am planning to implement PKINIT in my kerberos client application. Read the tutorial for PKINIT options in MIT site and need to know what API's can be used to achieve PKINIT in client application.
Normally, a client application doesn't need to use any APIs to make
PKINIT work; all you have to do is configure the client and KDC
appropriately using krb5.conf.
If you have a specific need to control PKINIT behavior from the
application, you can create a krb5_get_init_creds_opt object with
krb5_get_init_creds_opt_alloc and set PKINIT-specific attributes with
krb5_get_init_creds_opt_set_pa. &nbsp;The attributes you can set this way are
described in the kinit man page under the description of the -X
attribute (so X509_user_identity, X509_anchors, and flag_RSA_PROTOCOL).
You may also need to refer to the krb5.conf man page where it talks
about the pkinit_identities and pkinit_anchors variables.
________________________________________________
Kerberos mailing list Kerb...@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
Adding more information to the previous e-mail thread.
In the conf file following information is stored.
pkinit_anchors = FILE:<path>/cacert.pem
pkinit_identity = FILE:<path>/client.pem,<path>/clientkey.pem
When this was tested and same was captured in the wireshark it has AS_REQ messages not PA-PK-AS-REQ
Question once these path was set as value to the "krb5_get_init_creds_opt_set_pa" will this api pick the certificate from the mentioned path and communicate with the KDC?
Just for testing the client code can i mention KDC which in not reachable so i can see the clients PA-PK-AS-REQ for testing is this the correct way? Before proceeding to the end-to-end certificate based authentication with KDC.
Best Regards,
B.Sasikumar.
From: "sasikumar bodathula" <sasik...@rediffmail.com>
Sent: Thu, 16 May 2013 16:53:11
To: "kerb...@mit.edu" <kerb...@mit.edu>
Subject: Re: Need help with PKINIT
Hi,
&nbsp; In our case we use the api's to control the client action.
Setup :-
&nbsp;&nbsp; we maintain the conf files according to the realm names.
1. In normal scenario we call krb5_get_init_creds_opt_alloc and krb5_get_init_creds_opt_set_forwardable to set the kerberos flags
2. Similarly called
&nbsp; krb5_get_init_creds_opt_set_pa(k5-&gt;ctx, options, "X509_anchors", "FILE:<path>/cacert.pem" );
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; krb5_get_init_creds_opt_set_pa(k5-&gt;ctx, options, "X509_user_identity", "FILE:<path>/client.pem,<path>/clientkey.pem");
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; krb5_get_init_creds_opt_set_pa(k5-&gt;ctx, options, "flag_RSA_PROTOCOL", "yes");
The above data was stored in the conf file.
My question is what ever i am doing is the correct procedure? Please do guide me in this.
Best Regards,
B.Sasikumar.
From: Greg Hudson &lt;');">ghu...@MIT.EDU>;
Sent: Thu, 09 May 2013 21:25:53
To: sasikumar bodathula &lt;sasik...@rediffmail.com&gt;
Cc: "kerb...@mit.edu" &lt;');">kerb...@mit.edu>;
Subject: Re: Need help with PKINIT
On 05/09/2013 07:18 AM, sasikumar bodathula wrote:
&gt; I am planning to implement PKINIT in my kerberos client application. Read the tutorial for PKINIT options in MIT site and need to know what API's can be used to achieve PKINIT in client application.
Normally, a client application doesn't need to use any APIs to make
PKINIT work; all you have to do is configure the client and KDC
appropriately using krb5.conf.
If you have a specific need to control PKINIT behavior from the
application, you can create a krb5_get_init_creds_opt object with
krb5_get_init_creds_opt_alloc and set PKINIT-specific attributes with
krb5_get_init_creds_opt_set_pa. &nbsp;The attributes you can set this way are
described in the kinit man page under the description of the -X
attribute (so X509_user_identity, X509_anchors, and flag_RSA_PROTOCOL).
You may also need to refer to the krb5.conf man page where it talks
about the pkinit_identities and pkinit_anchors variables.
________________________________________________
Kerberos mailing list Kerb...@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
sasikumar bodathula
May 20, 2013, 6:50:13 AM5/20/13
to kerb...@mit.edu
Hi,
Need some assistance in proceeding further with pkinit.
Set up a kerberos server with pkinit support and tested the same with client in another machine and same has been verified with wireshark capture where the padata goes as PA-DASS and value carries the certificate.
Now tried testing the same with the client application which I have developed. In this case padata goes as PA-ENC-TIMESTAMP
Following steps where followed
1. Set the certificate information using krb5_get_init_creds_opt_set_pa (set Identity, anchor and RSA flag).
2. Then tried setting the PATYPE using krb5_get_init_creds_opt_set_preauth_list (KRB5_PADATA_PK_AS_REQ)
Do guide me does i missed some important ste
Best Regards,
B.Sasikumar.
From: "sasikumar bodathula" <sasik...@rediffmail.com>
Sent: Fri, 17 May 2013 08:42:12
To: "kerb...@mit.edu" <kerb...@mit.edu>
Subject: Re: Need help with PKINIT
HI,
&nbsp; Adding more information to the previous e-mail thread.
In the conf file following information is stored.
pkinit_anchors = FILE:&lt;path&gt;/cacert.pem
&nbsp; pkinit_identity = FILE:&lt;path&gt;/client.pem,&lt;path&gt;/clientkey.pem
When this was tested and same was captured in the wireshark it has AS_REQ messages not PA-PK-AS-REQ
Question once these path was set as value to the "krb5_get_init_creds_opt_set_pa" will this api pick the certificate from the mentioned path and communicate with the KDC?
Just for testing the client code can i mention KDC which in not reachable so i can see the clients&nbsp; PA-PK-AS-REQ for testing is this the correct way? Before proceeding to the end-to-end certificate based authentication with KDC.
Best Regards,
B.Sasikumar.
From: "sasikumar bodathula" &lt;sasik...@rediffmail.com&gt;
Sent: Thu, 16 May 2013 16:53:11
To: "kerb...@mit.edu" &lt;');">kerb...@mit.edu>;
Subject: Re: Need help with PKINIT
Hi,
&amp;nbsp; In our case we use the api's to control the client action.
Setup :-
&amp;nbsp;&amp;nbsp; we maintain the conf files according to the realm names.
1. In normal scenario we call krb5_get_init_creds_opt_alloc and krb5_get_init_creds_opt_set_forwardable to set the kerberos flags
2. Similarly called
&amp;nbsp; krb5_get_init_creds_opt_set_pa(k5-&amp;gt;ctx, options, "X509_anchors", "FILE:&lt;path&gt;/cacert.pem" );
&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; krb5_get_init_creds_opt_set_pa(k5-&amp;gt;ctx, options, "X509_user_identity", "FILE:&lt;path&gt;/client.pem,&lt;path&gt;/clientkey.pem");
&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; krb5_get_init_creds_opt_set_pa(k5-&amp;gt;ctx, options, "flag_RSA_PROTOCOL", "yes");
The above data was stored in the conf file.
My question is what ever i am doing is the correct procedure? Please do guide me in this.
Best Regards,
B.Sasikumar.
From: Greg Hudson &amp;lt;');">');">ghu...@MIT.EDU>;;
Sent: Thu, 09 May 2013 21:25:53
To: sasikumar bodathula &amp;lt;sasik...@rediffmail.com&amp;gt;
Cc: "kerb...@mit.edu" &amp;lt;');">');">kerb...@mit.edu>;;
Subject: Re: Need help with PKINIT
On 05/09/2013 07:18 AM, sasikumar bodathula wrote:
&amp;gt; I am planning to implement PKINIT in my kerberos client application. Read the tutorial for PKINIT options in MIT site and need to know what API's can be used to achieve PKINIT in client application.
Normally, a client application doesn't need to use any APIs to make
PKINIT work; all you have to do is configure the client and KDC
appropriately using krb5.conf.
If you have a specific need to control PKINIT behavior from the
application, you can create a krb5_get_init_creds_opt object with
krb5_get_init_creds_opt_alloc and set PKINIT-specific attributes with
krb5_get_init_creds_opt_set_pa. &amp;nbsp;The attributes you can set this way are
described in the kinit man page under the description of the -X
attribute (so X509_user_identity, X509_anchors, and flag_RSA_PROTOCOL).
You may also need to refer to the krb5.conf man page where it talks
about the pkinit_identities and pkinit_anchors variables.
________________________________________________
Kerberos mailing list &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; Kerb...@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
________________________________________________
Kerberos mailing list Kerb...@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
Need some assistance in proceeding further with pkinit.
Set up a kerberos server with pkinit support and tested the same with client in another machine and same has been verified with wireshark capture where the padata goes as PA-DASS and value carries the certificate.
Now tried testing the same with the client application which I have developed. In this case padata goes as PA-ENC-TIMESTAMP
Following steps where followed
1. Set the certificate information using krb5_get_init_creds_opt_set_pa (set Identity, anchor and RSA flag).
2. Then tried setting the PATYPE using krb5_get_init_creds_opt_set_preauth_list (KRB5_PADATA_PK_AS_REQ)
Do guide me does i missed some important ste
Best Regards,
B.Sasikumar.
From: "sasikumar bodathula" <sasik...@rediffmail.com>
Sent: Fri, 17 May 2013 08:42:12
To: "kerb...@mit.edu" <kerb...@mit.edu>
Subject: Re: Need help with PKINIT
&nbsp; Adding more information to the previous e-mail thread.
In the conf file following information is stored.
&nbsp; pkinit_identity = FILE:&lt;path&gt;/client.pem,&lt;path&gt;/clientkey.pem
When this was tested and same was captured in the wireshark it has AS_REQ messages not PA-PK-AS-REQ
Question once these path was set as value to the "krb5_get_init_creds_opt_set_pa" will this api pick the certificate from the mentioned path and communicate with the KDC?
Best Regards,
B.Sasikumar.
From: "sasikumar bodathula" &lt;sasik...@rediffmail.com&gt;
Sent: Thu, 16 May 2013 16:53:11
Subject: Re: Need help with PKINIT
Hi,
Setup :-
&amp;nbsp;&amp;nbsp; we maintain the conf files according to the realm names.
1. In normal scenario we call krb5_get_init_creds_opt_alloc and krb5_get_init_creds_opt_set_forwardable to set the kerberos flags
2. Similarly called
&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; krb5_get_init_creds_opt_set_pa(k5-&amp;gt;ctx, options, "X509_user_identity", "FILE:&lt;path&gt;/client.pem,&lt;path&gt;/clientkey.pem");
&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; krb5_get_init_creds_opt_set_pa(k5-&amp;gt;ctx, options, "flag_RSA_PROTOCOL", "yes");
The above data was stored in the conf file.
My question is what ever i am doing is the correct procedure? Please do guide me in this.
Best Regards,
B.Sasikumar.
From: Greg Hudson &amp;lt;');">');">ghu...@MIT.EDU>;;
Sent: Thu, 09 May 2013 21:25:53
Cc: "kerb...@mit.edu" &amp;lt;');">');">kerb...@mit.edu>;;
Subject: Re: Need help with PKINIT
On 05/09/2013 07:18 AM, sasikumar bodathula wrote:
Normally, a client application doesn't need to use any APIs to make
PKINIT work; all you have to do is configure the client and KDC
appropriately using krb5.conf.
If you have a specific need to control PKINIT behavior from the
application, you can create a krb5_get_init_creds_opt object with
krb5_get_init_creds_opt_alloc and set PKINIT-specific attributes with
described in the kinit man page under the description of the -X
attribute (so X509_user_identity, X509_anchors, and flag_RSA_PROTOCOL).
You may also need to refer to the krb5.conf man page where it talks
about the pkinit_identities and pkinit_anchors variables.
________________________________________________
https://mailman.mit.edu/mailman/listinfo/kerberos
________________________________________________
Kerberos mailing list Kerb...@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
0 new messages