Heimdal PKINIT setup

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Heimdal PKINIT setup

Renyao Wei
Hi everyone,

We are new to Heimdal and are trying to figure out setting up Heimdal with PKINIT. A quick Google search pointed me to this site (http://www.h5l.org/manual/heimdal-1-2-branch/info/heimdal.html) but I failed to get a ticket with certificates. It will be greatly appreciated if you can point me to some instructions. 

Secondly, we want to use ECC certificates for PKINIT. Is there a list of supported curves for the crypto library Heimdal is using? It seems like it is not using openssl. 

Lastly, we have been working with MIT Kerberos PKINIT. Is Heimdal KDC compatible with MIT Kerberos kinit? We intend to use MIT Kerberos kinit and Heimdal KDC.

Thanks,
Renyao
Reply | Threaded
Open this post in threaded view
|

Re: Heimdal PKINIT setup

Henry B (Hank) Hotz, CISSP-2


Personal email. [hidden email]

On Jan 23, 2017, at 9:05 AM, Renyao Wei <[hidden email]> wrote:

Hi everyone,

We are new to Heimdal and are trying to figure out setting up Heimdal with PKINIT. A quick Google search pointed me to this site (http://www.h5l.org/manual/heimdal-1-2-branch/info/heimdal.html) but I failed to get a ticket with certificates. It will be greatly appreciated if you can point me to some instructions. 

AFAIK nothing's changed for setup. 

Secondly, we want to use ECC certificates for PKINIT. Is there a list of supported curves for the crypto library Heimdal is using? It seems like it is not using openssl. 

I think some stuff is supported in hcrypto, but best to use OpenSSL. You can use ldd to verify it's linked. 

Lastly, we have been working with MIT Kerberos PKINIT. Is Heimdal KDC compatible with MIT Kerberos kinit? We intend to use MIT Kerberos kinit and Heimdal KDC.

They are wire compatible, though perhaps not all options may be supported. I've used MIT clients with Heimdal. The biggest issue is that the config options are completely disjoint. Also the MIT options are case sensitive and may not give you any error messages. 


Thanks,
Renyao
Reply | Threaded
Open this post in threaded view
|

Re: Heimdal PKINIT setup

Sergio NNX

Ciao.

> We are new to Heimdal and are trying to figure out setting up Heimdal with PKINIT. A quick Google search
> pointed me to this site (http://www.h5l.org/manual/heimdal-1-2-branch/info/heimdal.html) but I failed to get a > ticket with certificates. It will be greatly appreciated if you can point me to some instructions. 

It could be useful to show some of the command line(s) used! Some error messages will also help!


We use this cmd line, which works fine:


                kinit -C FILE:bin/testuser.pem,bin/testuserkey.pem [hidden email]



> Secondly, we want to use ECC certificates for PKINIT. Is there a list of supported curves for the crypto library

> Heimdal is using? It seems like it is not using openssl.


Who (or What) is not using OpenSSL?

This may (or may not) give us a clue:


    rsa: hcrypto ltm RSA
    dh: hcrypto ltm DH
    ecdsa: ECDSA_METHOD-not-export
    rand: ok


Contact us should you require further assistance.