Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  newsreader  groups  login

Message-ID:  

Outside of a dog, a book is man's best friend. Inside of a dog, it is too dark to read.

devel / comp.protocols.kerberos / Re: windows and smartcards

SubjectAuthor
o Re: windows and smartcardsKen Hornstein

1
Re: windows and smartcards

<mailman.46.1651707662.8148.kerberos@mit.edu>

  copy mid

https://www.novabbs.com/devel/article-flat.php?id=241&group=comp.protocols.kerberos#241

  copy link   Newsgroups: comp.protocols.kerberos
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!tncsrv06.tnetconsulting.net!.POSTED.mailman.mit.edu!not-for-mail
From: ken...@cmf.nrl.navy.mil (Ken Hornstein)
Newsgroups: comp.protocols.kerberos
Subject: Re: windows and smartcards
Date: Wed, 04 May 2022 19:40:48 -0400
Organization: TNet Consulting
Lines: 32
Message-ID: <mailman.46.1651707662.8148.kerberos@mit.edu>
References: <CALTuj66DozJM-mDHxYT9HjNKbS9YCUxhCphwhyVHZ5Ae_EpYAQ@mail.gmail.com>
<202205042340.244Nem5a001656@hedwig.cmf.nrl.navy.mil>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Injection-Info: tncsrv06.tnetconsulting.net; posting-host="mailman.mit.edu:18.7.21.50";
logging-data="29917"; mail-complaints-to="newsmaster@tnetconsulting.net"
Cc: kerberos@mit.edu
To: Prabin Tamang <prabintamang1040@gmail.com>
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=kWl2qK0CDAp3m/S+2I6PnYxoEcy0QIgy/zCthT+EtjD7I28nnZAmKOV0zT8jRGoGPVv/ZRh20QU9hXhFiWSzZjXezMW3Z1gFocRB00LXLtiB1vKie/deNw/9/0hxiCovNekTqslUYpdVDaZrnSGwb7DzqcIPAdpB6TAfj5zXEM3N/225GnsdsY4/XVAfnsDj3ZYa9pXnFzw0bEIZUNm9iY/WVT22FhcLIY7T2Y+Jxd3/4MUZUHDISRWEkuzHIyFqm9cTTy/dKucDDm2SBtp6Sl2g8sZ+E4xBMS7uU3Rsw8oMIJ7o3R+ekK8FUmIkyTS+JY6rnjchjnVhHB0V0k291w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=rEhUbcK+w9vtbWiYYOHthvgPa2F6AwrYWzXiuKsFGl0=;
b=FSB5Kfy6rLzLF636cIpvHbtLxySRZSogBdnbbAYtw3S4zcvOK/p4ZKRe1sy2JqkyVUjm/s02eXBBcM1ndOF30IHQiOxfu10tM1A5D9PBoR61OfwjYQX6aoWQElUG+PZwBJIFiOKhu4NUzFSWEEWcvxzYzufa4h5QucPd8eWVkX/Hknt4Te6GRCEOFnPaQBVL2rL4nw2GpWQIkziDFEgWbGg745mIqDSF3R857xRe+0p4DcI3OfH0xp40qgpBTUyxGqV4p1UR8Ec1vXOjVmMXIdzHbKntw8kFQr3609MKect8Z9AQ3Ej+dJWbdxaz0bjoHoH+2MRoozaDNP/irr1hAw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
140.32.59.234) smtp.rcpttodomain=mit.edu smtp.mailfrom=cmf.nrl.navy.mil;
dmarc=pass (p=reject sp=reject pct=100) action=none
header.from=cmf.nrl.navy.mil; dkim=pass (signature was verified)
header.d=nrl.navy.mil; arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=rEhUbcK+w9vtbWiYYOHthvgPa2F6AwrYWzXiuKsFGl0=;
b=CylVPn5GJCfSFJOhbAu9f6LcRBbaNCqmcrAb705KZRYdNN1HEhqfpFRxSSiR5j6Ik02PzAr+K6pswRoxTFF2mThyjHkDFl4D6l5/gIOEJyXyN6CkaNGkE6nmAmMNKvHjD3AMunqZDvTNkFS8CsgR17BsbABmkoWESoY6Q3a29LU=
Authentication-Results: spf=pass (sender IP is 140.32.59.234)
smtp.mailfrom=cmf.nrl.navy.mil; dkim=pass (signature was verified)
header.d=nrl.navy.mil;dmarc=pass action=none header.from=cmf.nrl.navy.mil;
Received-SPF: Pass (protection.outlook.com: domain of cmf.nrl.navy.mil
designates 140.32.59.234 as permitted sender)
receiver=protection.outlook.com; client-ip=140.32.59.234; helo=mfe.dren.mil;
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nrl.navy.mil;
h=message-id : from :
to : cc : subject : in-reply-to : references : mime-version : content-type
: date; s=s2.dkim; bh=rEhUbcK+w9vtbWiYYOHthvgPa2F6AwrYWzXiuKsFGl0=;
b=mIsJWD/K4bV71xXgEvcjL/+wflCosc3LpZS8rWh9JLaWWsXboD035tDcLbI75bJ4fFcH
Ak1c6NRMsWO7Cw9shxLR9D7cF6TpW7moKmHlXxW2bBaslfifcsGVGoO6GXdmUki5ZWce
pm4BGhRj0tkuyMRre0jPxo1LLTWyFNFX6nspmT36RoZreMvia3KljTJaheTDWB9l/MGM
ILdBchB/FSxNkTVw7R/niR8X54LYhGpQt1RC4u+WfdRd2DFGWnLZWJ38qPCH9CAIlzS6
EZSHHThhOa2W7kt0HfmaEog0s3XrOo1gXiFG9tv2gx6X+qRYnv2PMd0O6k62slWWCbdx xg==
In-Reply-To: <CALTuj66DozJM-mDHxYT9HjNKbS9YCUxhCphwhyVHZ5Ae_EpYAQ@mail.gmail.com>
X-Face: "Evs"_GpJ]],xS)b$T2#V&{KfP_i2`TlPrY$Iv9+TQ!6+`~+l)#7I)0xr1>4hfd{#0B4
WIn3jU;bql;{2Uq%zw5bF4?%F&&j8@KaT?#vBGk}u07<+6/`.F-3_GA@6Bq5gN9\+s;_d
gD\SW #]iN_U0 KUmOR.P<|um5yP<ea#^"SJK;C*}fMI;Mv(aiO2z~9n.w?@\>kEpSD@*e`
X-NRLCMF-Spam-Score: () hits=0 User Authenticated
X-NRLCMF-Virus-Scanned: No virus found
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: b62c769c-8087-4a9c-2329-08da2e2785c1
X-MS-TrafficTypeDiagnostic: SN6PR01MB5198:EE_
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-Microsoft-Antispam-PRVS: <SN6PR01MB519887AB7DE575DE06827527ACC39@SN6PR01MB5198.prod.exchangelabs.com>
X-MS-Exchange-SenderADCheck: 0
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: HsB/kaYZgLDsbf7pmdwNG8neIa0XVEQIMKILf5uBxPpKA2Ui9vDXXp1tgRP1VoTwmADg7IIfWm39jizUBSPeNO5UvXCssFHMMpLu38NPS802w4WjVaYdCiiWQvwoFZrZtYy6BNGg5+mgdDYieh8r5/71pkvuFmK8chZetrogVhBqURHRX5q/Q3TRmq6Mx5C7F1i4lQD3lU3t5SBVBWHDZq8ofB/x26OJGa7VcBQdjgSlTctbS3ZpNT7ql7kxsDGzlniGZYCvx5ap2iOKEVXIhTYwH0b6y9ayCP/qRdxIbbGQdup6HiL60f6H0gObwClvN4qvsTr4wBG/b+cnO3Yq52ABvVOY1dJBg/OLu0YchH9oLrLZv/jbrEzhCBnKQkmbWqLKINXXLrBCnk8fIm3GhMtXdg8tm2hsyNixA3c662pCVo4ma020rUGBmaXdugc+27V+n+Gw55pkvZWv5HrLUYNsuTMrPQPWW7oB3uSBMOr+SwiMaJTDVhrfKJAaOwO3aUNRCU4stFXa01gWOqUL2OtJM8CPTHWB/ugjUFzJb1Fgn1RCZqj8Kl9wgTNhKaGvFrgl3hAYVB32WHZTBzK57FjHrSlbaRv66RhrKL45xTbIct/14gOjVwncv0iIKTvGbzdIdmLhRd8krTewVTWx4qCl92bvbEKVC7dZLbzSOXOJQ++QZN2Ry+2npIqT1Cyq4RYi41g4bHpIhnztSnxCtQ==
X-Forefront-Antispam-Report: CIP:140.32.59.234; CTRY:US; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM; H:mfe.dren.mil; PTR:mfe.dren.mil; CAT:NONE;
SFS:(13230001)(4636009)(86362001)(83380400001)(508600001)(3480700007)(336012)(7636003)(7596003)(426003)(1076003)(356005)(956004)(26005)(7116003)(786003)(316002)(70586007)(68406010)(8676002)(4326008)(2906002)(5660300002)(6862004);
DIR:OUT; SFP:1102;
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 04 May 2022 23:40:50.7569 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: b62c769c-8087-4a9c-2329-08da2e2785c1
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource: BN8NAM11FT047.eop-nam11.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN6PR01MB5198
X-OriginatorOrg: mitprod.onmicrosoft.com
X-BeenThere: kerberos@mit.edu
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/options/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos/>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
X-Mailman-Original-Message-ID: <202205042340.244Nem5a001656@hedwig.cmf.nrl.navy.mil>
X-Mailman-Original-References: <CALTuj66DozJM-mDHxYT9HjNKbS9YCUxhCphwhyVHZ5Ae_EpYAQ@mail.gmail.com>
 by: Ken Hornstein - Wed, 4 May 2022 23:40 UTC

>i was wondering if the question listed in the link below was ever answered
>and if not, i was hoping you could provide please.
>https://mailman.mit.edu/pipermail/kerberos/2010-September/016423.html

I can provide a quick summary:

- Current stock MIT Kerberos for Windows does not support pkinit (that's
what you need to use Smartcards).

- People I work with have adapted the stock MIT Kerberos PKINIT plugin
to work on Windows.

- We've talked with MIT about contributing this code back; it proceeds
in fits and starts. The last hold-up was getting a C language regular
expression library with an acceptable license for MIT (I didn't
think this would be a problem, but it turns out that it is). We use
a PCRE library for our distribution but that has it's own issues.
Unfortunately the developers on that project lost their contract and
there aren't currently resources to push that forward into something
that MIT would find acceptable.

- To answer the specific question in that email message: stock MIT Kerberos
works fine with PKINIT under OS X. If you want to use it with
Smartcards, you need a compatible PKCS#11 library. If you are using
the native smartcard support on OS X (which at the moment only
supports PIV cards as far as I know), you can use Keychain-PKCS11.
For other smartcards you could probably use OpenSC which provides
a PKCS#11 library and support for smartcards that OS X does not
support natively. In the interests of full disclosure: I wrote
Keychain-PKCS11 so I am obviously biased toward it.

--Ken

devel / comp.protocols.kerberos / Re: windows and smartcards

1
server_pubkey.txt

rocksolid light 0.9.81
clearnet tor