Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

kerberos, pre_auth, and smartcards

497 views
Skip to first unread message

Bram Cymet

unread,
Jul 27, 2010, 3:33:32 PM7/27/10
to kerb...@mit.edu
Hi,

I have been able to get kinit to (sort of) talk to my smartcard.

By specifying the X509_user_identity on the command line kinit will ask
me for the pin of the smart card and log into the smartcard (using
opensc_pkcs11) but then it will do nothing else with the smartcard. It
will then ask for my password and my kdc will happily issue me a ticket.
Even if I give the wrong PIN for the smartcard I can still get a ticket.

What really worries me is that NEEDED_PREAUTH is set for the principle
that I am using and "Additional pre-authentication required" is sent
back with the first AS_REQ but no matter what I do the kdc will issue a
ticket as long as I give it the correct password.

It is my understanding that with pre_auth required pkinit should be used
and there should be some type of certificate verification correct? This
does not seem to be going on here. I have not specified a client cert
and I know it is not getting the cert off the smartcard. Is my
interpretation of pre_auth required incorrect?

I am using MIT Kerberos compiled from the latest released source.

If more information is need let me know.

Any ideas what could be going on?

Thanks,

--
Bram Cymet
Software Developer
Canadian Bank Note Co. Ltd.
Cell: 613-608-9752


Kevin Coffman

unread,
Jul 27, 2010, 4:05:50 PM7/27/10
to Bram Cymet, kerb...@mit.edu
PKINIT is one of many methods of pre-authentication. Does the KDC
response to the client with "Additional pre-authentication required"
include PKINIT as an allowed pre-auth method? (You'll probably need a
packet trace to determine this.) If not, there is something wrong
with your KDC setup and it cannot process PKINIT. If PKINIT pre-auth
is not available, then the next default is Timestamp which will prompt
for your password.

You should start with the KDC side and make sure it is correctly
configured and offering PKINIT as an acceptable pre-auth. This may
require re-building the PKINIT plugin with -DDEBUG defined to get more
information.

K.C.

> ________________________________________________
> Kerberos mailing list           Kerb...@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>

Greg Hudson

unread,
Jul 27, 2010, 4:07:34 PM7/27/10
to Bram Cymet, kerb...@mit.edu
On Tue, 2010-07-27 at 15:33 -0400, Bram Cymet wrote:
> By specifying the X509_user_identity on the command line kinit will ask
> me for the pin of the smart card and log into the smartcard (using
> opensc_pkcs11) but then it will do nothing else with the smartcard.

It is likely something is failing about PKINIT on the client side and
the library is silently moving on to other preauth mechanisms. In krb5
1.9 we are adding a KRB5_TRACE environment variable which can be used to
help delve into problems like this where something went wrong but there
is no error message, but that doesn't help you yet.

Since you're building from source, you might try rebuilding
src/plugins/preauth/pkinit with CFLAGS="-DDEBUG" and possibly some of
the more specific debug flags as necessary:

DEBUG_ASN1
DEBUG_CERTCHAIN
DEBUG_CKSUM
DEBUG_DH
DEBUG_MECHINFO
DEBUG_SAN_INFO
DEBUG_SIG

> It is my understanding that with pre_auth required pkinit should be used
> and there should be some type of certificate verification correct? This
> does not seem to be going on here. I have not specified a client cert
> and I know it is not getting the cert off the smartcard. Is my
> interpretation of pre_auth required incorrect?

preauth-required doesn't specify which kind of preauth is required. The
client is proving its knowledge of the password using a much simpler
mechanism called "encrypted timestamp", and that's sufficient for the
KDC to issue a ticket.

Currently, if you want to specifically require pkinit, you'll need to
randomize the principal's key so that there is no valid password.


Russ Allbery

unread,
Jul 27, 2010, 4:43:54 PM7/27/10
to kerb...@mit.edu
Greg Hudson <ghu...@MIT.EDU> writes:

> preauth-required doesn't specify which kind of preauth is required. The
> client is proving its knowledge of the password using a much simpler
> mechanism called "encrypted timestamp", and that's sufficient for the
> KDC to issue a ticket.

> Currently, if you want to specifically require pkinit, you'll need to
> randomize the principal's key so that there is no valid password.

I thought setting requires_hwauth on the principal should force PKINIT.
Does this not work the way that I thought it did?

--
Russ Allbery (r...@stanford.edu) <http://www.eyrie.org/~eagle/>

Greg Hudson

unread,
Jul 27, 2010, 5:06:42 PM7/27/10
to Russ Allbery, kerb...@mit.edu
On Tue, 2010-07-27 at 16:43 -0400, Russ Allbery wrote:
> I thought setting requires_hwauth on the principal should force PKINIT.
> Does this not work the way that I thought it did?

I can't find anything in our code which would set the HW-AUTHENT ticket
flag for pkinit preauth. Only SAM preauth appears to do that.

It's theoretically possible for a KDC to have evidence of whether PKINIT
preauth was done with hardware or software private keys, but only with
help from the admin, and we don't have that kind of configuration.


Douglas E. Engert

unread,
Jul 27, 2010, 5:06:27 PM7/27/10
to kerb...@mit.edu

On 7/27/2010 2:33 PM, Bram Cymet wrote:
> Hi,
>
> I have been able to get kinit to (sort of) talk to my smartcard.
>

> By specifying the X509_user_identity on the command line kinit will ask
> me for the pin of the smart card and log into the smartcard (using
> opensc_pkcs11) but then it will do nothing else with the smartcard. It

> will then ask for my password and my kdc will happily issue me a ticket.
> Even if I give the wrong PIN for the smartcard I can still get a ticket.
>
> What really worries me is that NEEDED_PREAUTH is set for the principle
> that I am using and "Additional pre-authentication required" is sent
> back with the first AS_REQ but no matter what I do the kdc will issue a
> ticket as long as I give it the correct password.
>

> It is my understanding that with pre_auth required pkinit should be used
> and there should be some type of certificate verification correct? This
> does not seem to be going on here. I have not specified a client cert
> and I know it is not getting the cert off the smartcard. Is my
> interpretation of pre_auth required incorrect?
>

> I am using MIT Kerberos compiled from the latest released source.
>
> If more information is need let me know.
>
> Any ideas what could be going on?

You may also need changes to the krb5.conf file to add many of the
pkinit_* parameters.

Are you KDCs MIT, Heimdal or Windows?

A wireshark trace would be helpful.

OPENSC=/path/to/opensc
export PKCS11SPY=$OPENSC/lib/opensc-pkcs11.so
kinit -X X509_user_identity=PKCS11:module_name=$OPENSC/lib/pkcs11-spy.so -f <principal>

could show what pkcs11 activity is going on with your card.


>
> Thanks,
>

--

Douglas E. Engert <DEEn...@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444

Will Fiveash

unread,
Jul 27, 2010, 9:50:49 PM7/27/10
to Greg Hudson, kerb...@mit.edu

I started a thread on this earlier, search for the following in the
archives:

Date: Tue, 9 Feb 2010 19:05:32 -0600
From: Will Fiveash <William...@Sun.COM>
To: MIT Kerberos Dev List <krb...@MIT.EDU>
Subject: HW-AUTHENT flag question
Message-ID: <20100210010...@sun.com>
--
Will Fiveash
Oracle
Note my new work e-mail address: will.f...@oracle.com
http://opensolaris.org/os/project/kerberos/
Sent using mutt, a sweet text based e-mail app: http://www.mutt.org/

0 new messages