X.509 preauth

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

X.509 preauth

Pascal Jakobi

Hi there

I am trying to run pkinit/X.509 with the standard MIT rpms delivered on
CentOS/Fedora/RHEL.
I have created the certificates with OpenSSL, everything looks fine - I
have a client cert such as/C=FR/L=Gennevilliers/O=Thales/CN=Toto, and
the corresponding KDC cert and CA cert have been checked.
I also modified the principal with kadmin : "modprinc +requires_preauth
toto".

I run kinit for the "toto" principal with KRB5_TRACE set. I can see that
the KDC sends the following to the client :

    [6832] 1446241709.215007: Processing preauth types: 136, 19, 2, 133

PA-PK-AS-REQ (16), which I understand is for X.509 certificate
preauthentication, is not in the list.

I guess something is therefore wrong on my KDC configuration, but I
cannot see what.
Can someone enlight me ?
Thanks in advance

--
Pascal Jakobi <mailto:[hidden email]>
116 rue de Stalingrad, 93100 Montreuil
France
Tel : +33 6 87 47 58 19



_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev

krb5.conf (920 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: X.509 preauth

Greg Hudson
On 10/30/2015 06:14 PM, Pascal Jakobi wrote:
> PA-PK-AS-REQ (16), which I understand is for X.509 certificate
> preauthentication, is not in the list.
[...]

[From krb5.conf]
>   pkinit_anchors = FILE:/var/kerberos/krb5kdc/cacert.pem
>   pkinit_identities = FILE:/var/kerberos/krb5kdc/kdccert.pem, /var/kerberos/krb5kdc/kdckey.pem

You should put the KDC certificate paths in "pkinit_identity", and the
client certificate paths in "pkinit_identities".  (These are two of the
most confusingly named variables in krb5.conf, and we are considering
introducing new names for them and deprecating the old ones.)

Since the KDC isn't seeing a "pkinit_identity" configured, it isn't
offering PKINIT.

If you haven't read it already, see:

http://web.mit.edu/kerberos/krb5-latest/doc/admin/pkinit.html
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: X.509 preauth

Pascal Jakobi
Thanks for your promptness, but this does not solve (even if necessary) :

    kinit pascal -X
    pkinit_identities='/etc/pki/krb5/certs/pascal_cert.pem,/etc/pki/krb5/private/pascal_key.pem'
    -X509_anchors=/etc/pki/CA/certs/ca_corp_cert.pem -X
    X509_user_identity=C=FR,L=Paris,O=Corp,CN=Pascal
    [28177] 1446299933.125876: Getting initial credentials for
    [hidden email]
    [28177] 1446299933.126101: Sending request (163 bytes) to THALES.COM
    [28177] 1446299933.126331: Resolving hostname kdc.jakobi.fr
    [28177] 1446299933.129971: Sending initial UDP request to dgram
    192.168.1.34:88
    [28177] 1446299933.130844: Received answer (199 bytes) from dgram
    192.168.1.34:88
    [28177] 1446299933.134661: Response was not from master KDC
    [28177] 1446299933.134746: Received error from KDC:
    -1765328359/Additional pre-authentication required
    *[28177] 1446299933.134801: Processing preauth types: 136, 133*
    [28177] 1446299933.134810: Received cookie: MIT
    [28177] 1446299933.134833: Retrying AS request with master KDC
    [28177] 1446299933.134841: Getting initial credentials for
    [hidden email]
    [28177] 1446299933.134900: Sending request (163 bytes) to THALES.COM
    (master)
    kinit: Generic preauthentication failure while getting initial
    credentials

Problem is that nothing is logged on the KDC side...

_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev

kdc_krb5.conf (705 bytes) Download Attachment
client_krb5.conf (4K) Download Attachment
certs.lst (9K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: X.509 preauth

Greg Hudson
On 10/31/2015 10:06 AM, Pascal Jakobi wrote:
> Problem is that nothing is logged on the KDC side...

There should be a message at startup, like:

    Oct 29 13:04:46 equal-rites krb5kdc[19021](Error): preauth pkinit
    failed to initialize: No realms configured correctly for pkinit
    support

although it isn't as specific as it should be.

> pkinit_identity = FILE:/etc/pki/krb5/certs/kdc_cert.pem, /etc/pki/krb5/private/kdc_key.pem

I don't think the space after the comma there is permitted.  (More
precisely, it's treated as part of the pathname for the key file.)
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: X.509 preauth

Pascal Jakobi
In reply to this post by Pascal Jakobi
I corrected the " " issue in krb5.conf. Does not change anything.
Also rechecked the log (attached). Nothing more than

    oct. 31 16:53:52 kdc.jakobi.fr krb5kdc[903](info): AS_REQ (6 etypes
    {18 17 16 23 25 26}) 192.168.1.4: NEEDED_PREAUTH: [hidden email]
    for krbtgt/[hidden email], Additional pre-authentication required

Thanks again for your help !
P

PS I also checked that pkinit is installed :
[pascal@kdc ~]$ rpm -qa | grep krb5
sssd-krb5-common-1.12.2-58.el7_1.17.x86_64
krb5-workstation-1.12.2-15.el7_1.x86_64
pam_krb5-2.4.8-4.el7.x86_64
krb5-pkinit-1.12.2-15.el7_1.x86_64
sssd-krb5-1.12.2-58.el7_1.17.x86_64
krb5-server-ldap-1.12.2-15.el7_1.x86_64
krb5-server-1.12.2-15.el7_1.x86_64
krb5-libs-1.12.2-15.el7_1.x86_64




On 31.10.2015 03:06 carra, Pascal Jakobi wrote:
> kinit pascal -X
> pkinit_identities='/etc/pki/krb5/certs/pascal_cert.pem,/etc/pki/krb5/private/pascal_key.pem'
> -X509_anchors=/etc/pki/CA/certs/ca_corp_cert.pem -X
> X509_user_identity=C=FR,L=Paris,O=Corp,CN=Pascal

--
Pascal Jakobi <mailto:[hidden email]>
116 rue de Stalingrad, 93100 Montreuil
France
Tel : +33 6 87 47 58 19

_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev

krb5kdc.log (19K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: X.509 preauth

Pascal Jakobi
In reply to this post by Greg Hudson
It works now !
Reinstalled the whole stuff and it works now as expected.
Sorry for the disturbance...

On 31.10.2015 04:45 carra, Greg Hudson wrote:

> On 10/31/2015 10:06 AM, Pascal Jakobi wrote:
>> Problem is that nothing is logged on the KDC side...
> There should be a message at startup, like:
>
>      Oct 29 13:04:46 equal-rites krb5kdc[19021](Error): preauth pkinit
>      failed to initialize: No realms configured correctly for pkinit
>      support
>
> although it isn't as specific as it should be.
>
>> pkinit_identity = FILE:/etc/pki/krb5/certs/kdc_cert.pem, /etc/pki/krb5/private/kdc_key.pem
> I don't think the space after the comma there is permitted.  (More
> precisely, it's treated as part of the pathname for the key file.)

--
Pascal Jakobi <mailto:[hidden email]>
116 rue de Stalingrad, 93100 Montreuil
France
Tel : +33 6 87 47 58 19
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev