Discussion:
X.509 preauth
Pascal Jakobi
2015-10-30 22:14:56 UTC
Permalink
Hi there

I am trying to run pkinit/X.509 with the standard MIT rpms delivered on
CentOS/Fedora/RHEL.
I have created the certificates with OpenSSL, everything looks fine - I
have a client cert such as/C=FR/L=Gennevilliers/O=Thales/CN=Toto, and
the corresponding KDC cert and CA cert have been checked.
I also modified the principal with kadmin : "modprinc +requires_preauth
toto".

I run kinit for the "toto" principal with KRB5_TRACE set. I can see that
the KDC sends the following to the client :

[6832] 1446241709.215007: Processing preauth types: 136, 19, 2, 133

PA-PK-AS-REQ (16), which I understand is for X.509 certificate
preauthentication, is not in the list.

I guess something is therefore wrong on my KDC configuration, but I
cannot see what.
Can someone enlight me ?
Thanks in advance
--
Pascal Jakobi <mailto:***@gmail.com>
116 rue de Stalingrad, 93100 Montreuil
France
Tel : +33 6 87 47 58 19
Greg Hudson
2015-10-31 03:18:25 UTC
Permalink
Post by Pascal Jakobi
PA-PK-AS-REQ (16), which I understand is for X.509 certificate
preauthentication, is not in the list.
[...]

[From krb5.conf]
Post by Pascal Jakobi
pkinit_anchors = FILE:/var/kerberos/krb5kdc/cacert.pem
pkinit_identities = FILE:/var/kerberos/krb5kdc/kdccert.pem, /var/kerberos/krb5kdc/kdckey.pem
You should put the KDC certificate paths in "pkinit_identity", and the
client certificate paths in "pkinit_identities". (These are two of the
most confusingly named variables in krb5.conf, and we are considering
introducing new names for them and deprecating the old ones.)

Since the KDC isn't seeing a "pkinit_identity" configured, it isn't
offering PKINIT.

If you haven't read it already, see:

http://web.mit.edu/kerberos/krb5-latest/doc/admin/pkinit.html
_______________________________________________
krbdev mailing list ***@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
Pascal Jakobi
2015-10-31 14:06:21 UTC
Permalink
Thanks for your promptness, but this does not solve (even if necessary) :

kinit pascal -X
pkinit_identities='/etc/pki/krb5/certs/pascal_cert.pem,/etc/pki/krb5/private/pascal_key.pem'
-X509_anchors=/etc/pki/CA/certs/ca_corp_cert.pem -X
X509_user_identity=C=FR,L=Paris,O=Corp,CN=Pascal
[28177] 1446299933.125876: Getting initial credentials for
***@THALES.COM
[28177] 1446299933.126101: Sending request (163 bytes) to THALES.COM
[28177] 1446299933.126331: Resolving hostname kdc.jakobi.fr
[28177] 1446299933.129971: Sending initial UDP request to dgram
192.168.1.34:88
[28177] 1446299933.130844: Received answer (199 bytes) from dgram
192.168.1.34:88
[28177] 1446299933.134661: Response was not from master KDC
[28177] 1446299933.134746: Received error from KDC:
-1765328359/Additional pre-authentication required
*[28177] 1446299933.134801: Processing preauth types: 136, 133*
[28177] 1446299933.134810: Received cookie: MIT
[28177] 1446299933.134833: Retrying AS request with master KDC
[28177] 1446299933.134841: Getting initial credentials for
***@THALES.COM
[28177] 1446299933.134900: Sending request (163 bytes) to THALES.COM
(master)
kinit: Generic preauthentication failure while getting initial
credentials

Problem is that nothing is logged on the KDC side...
Greg Hudson
2015-10-31 15:45:10 UTC
Permalink
Post by Pascal Jakobi
Problem is that nothing is logged on the KDC side...
There should be a message at startup, like:

Oct 29 13:04:46 equal-rites krb5kdc[19021](Error): preauth pkinit
failed to initialize: No realms configured correctly for pkinit
support

although it isn't as specific as it should be.
Post by Pascal Jakobi
pkinit_identity = FILE:/etc/pki/krb5/certs/kdc_cert.pem, /etc/pki/krb5/private/kdc_key.pem
I don't think the space after the comma there is permitted. (More
precisely, it's treated as part of the pathname for the key file.)
_______________________________________________
krbdev mailing list ***@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
Pascal Jakobi
2015-11-01 18:10:11 UTC
Permalink
It works now !
Reinstalled the whole stuff and it works now as expected.
Sorry for the disturbance...
Post by Greg Hudson
Post by Pascal Jakobi
Problem is that nothing is logged on the KDC side...
Oct 29 13:04:46 equal-rites krb5kdc[19021](Error): preauth pkinit
failed to initialize: No realms configured correctly for pkinit
support
although it isn't as specific as it should be.
Post by Pascal Jakobi
pkinit_identity = FILE:/etc/pki/krb5/certs/kdc_cert.pem, /etc/pki/krb5/private/kdc_key.pem
I don't think the space after the comma there is permitted. (More
precisely, it's treated as part of the pathname for the key file.)
--
Pascal Jakobi <mailto:***@gmail.com>
116 rue de Stalingrad, 93100 Montreuil
France
Tel : +33 6 87 47 58 19
_______________________________________________
krbdev mailing list ***@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
Pascal Jakobi
2015-10-31 15:59:13 UTC
Permalink
I corrected the " " issue in krb5.conf. Does not change anything.
Also rechecked the log (attached). Nothing more than

oct. 31 16:53:52 kdc.jakobi.fr krb5kdc[903](info): AS_REQ (6 etypes
{18 17 16 23 25 26}) 192.168.1.4: NEEDED_PREAUTH: ***@THALES.COM
for krbtgt/***@THALES.COM, Additional pre-authentication required

Thanks again for your help !
P

PS I also checked that pkinit is installed :
[***@kdc ~]$ rpm -qa | grep krb5
sssd-krb5-common-1.12.2-58.el7_1.17.x86_64
krb5-workstation-1.12.2-15.el7_1.x86_64
pam_krb5-2.4.8-4.el7.x86_64
krb5-pkinit-1.12.2-15.el7_1.x86_64
sssd-krb5-1.12.2-58.el7_1.17.x86_64
krb5-server-ldap-1.12.2-15.el7_1.x86_64
krb5-server-1.12.2-15.el7_1.x86_64
krb5-libs-1.12.2-15.el7_1.x86_64
Post by Pascal Jakobi
kinit pascal -X
pkinit_identities='/etc/pki/krb5/certs/pascal_cert.pem,/etc/pki/krb5/private/pascal_key.pem'
-X509_anchors=/etc/pki/CA/certs/ca_corp_cert.pem -X
X509_user_identity=C=FR,L=Paris,O=Corp,CN=Pascal
--
Pascal Jakobi <mailto:***@gmail.com>
116 rue de Stalingrad, 93100 Montreuil
France
Tel : +33 6 87 47 58 19
Loading...