Query: Need help for compiling with pkinit enabled.

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Query: Need help for compiling with pkinit enabled.

Santosh Kumar
All,
 Could you please help with information how can i enable and use pkinit.

steps followed for building library:
 #./configure --disable-thread-support  --without-tcl
 # make install.

#kinit  -X
X509_user_identity=FILE:/home/admin/cert/certificate.pem,/home/admin/cert/mitprivkey.pem
testuser
 Password for [hidden email]:

when i tried pkinit  to use certificates,  it asks password!

*I'm not sure is the pkinit plugin is disabled, looking at the  file*
./include/autconf.h
#define DISABLE_PKINIT 1

In *krb5-1.15.3/src/plugins/preauth/pkinit* dont see any library binaries
build.

Am i missing any configuration

ps: kinit and kvno to fetch service tickets - works.

Thank you everyone.

Santosh
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Query: Need help for compiling with pkinit enabled.

Greg Hudson
On 09/03/2018 07:06 AM, Santosh Kumar wrote:
>   Could you please help with information how can i enable and use pkinit.

 From your description, my best guess is that you need to install the
OpenSSL development files so that PKINIT can be built.  You didn't
mention what platform you are on; for Debian or Ubuntu this means
installing the libssl-dev package.  You can check config.log (in the
directory where you ran configure) to see if PKINIT is enabled:

     configure:12841: checking for a recent enough OpenSSL
     [a couple of lines of building a test program]
     configure:12862: result: yes
     [...]
     PKINIT='yes'

If PKINIT is being built but still isn't working, check the KDC logs (if
you control the KDC) for a message like "preauth pkinit failed to
initialize".  On the client side, use "KRB5_TRACE=/dev/stdout kinit ..."
to look for messages about PKINIT failing on the client side.

If either the KDC or the client cannot use PKINIT, kinit will prompt for
a password if the KDC also offers encrypted timestamp.  If you control
the KDC and it is running MIT krb5 1.12 or later, you can disable
encrypted timestamp by removing the principal's long-term keys.  See
http://web.mit.edu/kerberos/krb5-latest/doc/admin/pkinit.html for
instructions on this as well as more information about setting up PKINIT.
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Query: Need help for compiling with pkinit enabled.

Santosh Kumar
In reply to this post by Santosh Kumar
Hi Greg Hudson,

Thank you much. Resolved

Installed the openssl-dev on my centos.

and ran the reconfigure the PKINIT is "yes" in config.log. which was
earlier "no"

Regards
Santosh




On Mon, Sep 3, 2018 at 8:10 PM Greg Hudson <[hidden email]> wrote:

> [image: Boxbe] <https://www.boxbe.com/overview> Greg Hudson (
> [hidden email]) is not on your Guest List
> <https://www.boxbe.com/approved-list?tc_serial=42796765645&tc_rand=201652435&utm_source=stf&utm_medium=email&utm_campaign=ANNO_MWTP&utm_content=001&key=GcinhYs4iD2146k0hKn737J3O%2BJKYTbnbMGMK%2BCY%2Flk%3D&token=GrtaD9SIulG%2B3OvDNdl2CuL5RmoQ3zQTiCNsKIvme4jyGhJ3lHtM%2Bt5YgS%2B6P0wn>
> | Approve sender
> <https://www.boxbe.com/anno?tc_serial=42796765645&tc_rand=201652435&utm_source=stf&utm_medium=email&utm_campaign=ANNO_MWTP&utm_content=001&key=GcinhYs4iD2146k0hKn737J3O%2BJKYTbnbMGMK%2BCY%2Flk%3D&token=GrtaD9SIulG%2B3OvDNdl2CuL5RmoQ3zQTiCNsKIvme4jyGhJ3lHtM%2Bt5YgS%2B6P0wn>
> | Approve domain
> <https://www.boxbe.com/anno?tc_serial=42796765645&tc_rand=201652435&utm_source=stf&utm_medium=email&utm_campaign=ANNO_MWTP&utm_content=001&dom&key=GcinhYs4iD2146k0hKn737J3O%2BJKYTbnbMGMK%2BCY%2Flk%3D&token=GrtaD9SIulG%2B3OvDNdl2CuL5RmoQ3zQTiCNsKIvme4jyGhJ3lHtM%2Bt5YgS%2B6P0wn>
> On 09/03/2018 07:06 AM, Santosh Kumar wrote:
> >   Could you please help with information how can i enable and use pkinit.
>
>  From your description, my best guess is that you need to install the
> OpenSSL development files so that PKINIT can be built.  You didn't
> mention what platform you are on; for Debian or Ubuntu this means
> installing the libssl-dev package.  You can check config.log (in the
> directory where you ran configure) to see if PKINIT is enabled:
>
>      configure:12841: checking for a recent enough OpenSSL
>      [a couple of lines of building a test program]
>      configure:12862: result: yes
>      [...]
>      PKINIT='yes'
>
> If PKINIT is being built but still isn't working, check the KDC logs (if
> you control the KDC) for a message like "preauth pkinit failed to
> initialize".  On the client side, use "KRB5_TRACE=/dev/stdout kinit ..."
> to look for messages about PKINIT failing on the client side.
>
> If either the KDC or the client cannot use PKINIT, kinit will prompt for
> a password if the KDC also offers encrypted timestamp.  If you control
> the KDC and it is running MIT krb5 1.12 or later, you can disable
> encrypted timestamp by removing the principal's long-term keys.  See
> http://web.mit.edu/kerberos/krb5-latest/doc/admin/pkinit.html for
> instructions on this as well as more information about setting up PKINIT.
>
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos