Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  nodelist  faq  login

Computers don't actually think. You just think they think. (We think.)


computers / comp.protocols.kerberos / Re: windows and smartcards

SubjectAuthor
o Re: windows and smartcardsKen Hornstein

1
Subject: Re: windows and smartcards
From: Ken Hornstein
Newsgroups: comp.protocols.kerberos
Organization: TNet Consulting
Date: Wed, 4 May 2022 23:40 UTC
References: 1 2
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!tncsrv06.tnetconsulting.net!.POSTED.mailman.mit.edu!not-for-mail
From: ken...@cmf.nrl.navy.mil (Ken Hornstein)
Newsgroups: comp.protocols.kerberos
Subject: Re: windows and smartcards
Date: Wed, 04 May 2022 19:40:48 -0400
Organization: TNet Consulting
Lines: 32
Message-ID: <mailman.46.1651707662.8148.kerberos@mit.edu>
References: <CALTuj66DozJM-mDHxYT9HjNKbS9YCUxhCphwhyVHZ5Ae_EpYAQ@mail.gmail.com>
<202205042340.244Nem5a001656@hedwig.cmf.nrl.navy.mil>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Injection-Info: tncsrv06.tnetconsulting.net; posting-host="mailman.mit.edu:18.7.21.50";
logging-data="29917"; mail-complaints-to="newsmaster@tnetconsulting.net"
Cc: kerberos@mit.edu
To: Prabin Tamang <prabintamang1040@gmail.com>
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=kWl2qK0CDAp3m/S+2I6PnYxoEcy0QIgy/zCthT+EtjD7I28nnZAmKOV0zT8jRGoGPVv/ZRh20QU9hXhFiWSzZjXezMW3Z1gFocRB00LXLtiB1vKie/deNw/9/0hxiCovNekTqslUYpdVDaZrnSGwb7DzqcIPAdpB6TAfj5zXEM3N/225GnsdsY4/XVAfnsDj3ZYa9pXnFzw0bEIZUNm9iY/WVT22FhcLIY7T2Y+Jxd3/4MUZUHDISRWEkuzHIyFqm9cTTy/dKucDDm2SBtp6Sl2g8sZ+E4xBMS7uU3Rsw8oMIJ7o3R+ekK8FUmIkyTS+JY6rnjchjnVhHB0V0k291w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=rEhUbcK+w9vtbWiYYOHthvgPa2F6AwrYWzXiuKsFGl0=;
b=FSB5Kfy6rLzLF636cIpvHbtLxySRZSogBdnbbAYtw3S4zcvOK/p4ZKRe1sy2JqkyVUjm/s02eXBBcM1ndOF30IHQiOxfu10tM1A5D9PBoR61OfwjYQX6aoWQElUG+PZwBJIFiOKhu4NUzFSWEEWcvxzYzufa4h5QucPd8eWVkX/Hknt4Te6GRCEOFnPaQBVL2rL4nw2GpWQIkziDFEgWbGg745mIqDSF3R857xRe+0p4DcI3OfH0xp40qgpBTUyxGqV4p1UR8Ec1vXOjVmMXIdzHbKntw8kFQr3609MKect8Z9AQ3Ej+dJWbdxaz0bjoHoH+2MRoozaDNP/irr1hAw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
140.32.59.234) smtp.rcpttodomain=mit.edu smtp.mailfrom=cmf.nrl.navy.mil;
dmarc=pass (p=reject sp=reject pct=100) action=none
header.from=cmf.nrl.navy.mil; dkim=pass (signature was verified)
header.d=nrl.navy.mil; arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=rEhUbcK+w9vtbWiYYOHthvgPa2F6AwrYWzXiuKsFGl0=;
b=CylVPn5GJCfSFJOhbAu9f6LcRBbaNCqmcrAb705KZRYdNN1HEhqfpFRxSSiR5j6Ik02PzAr+K6pswRoxTFF2mThyjHkDFl4D6l5/gIOEJyXyN6CkaNGkE6nmAmMNKvHjD3AMunqZDvTNkFS8CsgR17BsbABmkoWESoY6Q3a29LU=
Authentication-Results: spf=pass (sender IP is 140.32.59.234)
smtp.mailfrom=cmf.nrl.navy.mil; dkim=pass (signature was verified)
header.d=nrl.navy.mil;dmarc=pass action=none header.from=cmf.nrl.navy.mil;
Received-SPF: Pass (protection.outlook.com: domain of cmf.nrl.navy.mil
designates 140.32.59.234 as permitted sender)
receiver=protection.outlook.com; client-ip=140.32.59.234; helo=mfe.dren.mil;
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nrl.navy.mil;
h=message-id : from :
to : cc : subject : in-reply-to : references : mime-version : content-type
: date; s=s2.dkim; bh=rEhUbcK+w9vtbWiYYOHthvgPa2F6AwrYWzXiuKsFGl0=;
b=mIsJWD/K4bV71xXgEvcjL/+wflCosc3LpZS8rWh9JLaWWsXboD035tDcLbI75bJ4fFcH
Ak1c6NRMsWO7Cw9shxLR9D7cF6TpW7moKmHlXxW2bBaslfifcsGVGoO6GXdmUki5ZWce
pm4BGhRj0tkuyMRre0jPxo1LLTWyFNFX6nspmT36RoZreMvia3KljTJaheTDWB9l/MGM
ILdBchB/FSxNkTVw7R/niR8X54LYhGpQt1RC4u+WfdRd2DFGWnLZWJ38qPCH9CAIlzS6
EZSHHThhOa2W7kt0HfmaEog0s3XrOo1gXiFG9tv2gx6X+qRYnv2PMd0O6k62slWWCbdx xg==
In-Reply-To: <CALTuj66DozJM-mDHxYT9HjNKbS9YCUxhCphwhyVHZ5Ae_EpYAQ@mail.gmail.com>
X-Face: "Evs"_GpJ]],xS)b$T2#V&{KfP_i2`TlPrY$Iv9+TQ!6+`~+l)#7I)0xr1>4hfd{#0B4
WIn3jU;bql;{2Uq%zw5bF4?%F&&j8@KaT?#vBGk}u07<+6/`.F-3_GA@6Bq5gN9\+s;_d
gD\SW #]iN_U0 KUmOR.P<|um5yP<ea#^"SJK;C*}fMI;Mv(aiO2z~9n.w?@\>kEpSD@*e`
X-NRLCMF-Spam-Score: () hits=0 User Authenticated
X-NRLCMF-Virus-Scanned: No virus found
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: b62c769c-8087-4a9c-2329-08da2e2785c1
X-MS-TrafficTypeDiagnostic: SN6PR01MB5198:EE_
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-Microsoft-Antispam-PRVS: <SN6PR01MB519887AB7DE575DE06827527ACC39@SN6PR01MB5198.prod.exchangelabs.com>
X-MS-Exchange-SenderADCheck: 0
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: HsB/kaYZgLDsbf7pmdwNG8neIa0XVEQIMKILf5uBxPpKA2Ui9vDXXp1tgRP1VoTwmADg7IIfWm39jizUBSPeNO5UvXCssFHMMpLu38NPS802w4WjVaYdCiiWQvwoFZrZtYy6BNGg5+mgdDYieh8r5/71pkvuFmK8chZetrogVhBqURHRX5q/Q3TRmq6Mx5C7F1i4lQD3lU3t5SBVBWHDZq8ofB/x26OJGa7VcBQdjgSlTctbS3ZpNT7ql7kxsDGzlniGZYCvx5ap2iOKEVXIhTYwH0b6y9ayCP/qRdxIbbGQdup6HiL60f6H0gObwClvN4qvsTr4wBG/b+cnO3Yq52ABvVOY1dJBg/OLu0YchH9oLrLZv/jbrEzhCBnKQkmbWqLKINXXLrBCnk8fIm3GhMtXdg8tm2hsyNixA3c662pCVo4ma020rUGBmaXdugc+27V+n+Gw55pkvZWv5HrLUYNsuTMrPQPWW7oB3uSBMOr+SwiMaJTDVhrfKJAaOwO3aUNRCU4stFXa01gWOqUL2OtJM8CPTHWB/ugjUFzJb1Fgn1RCZqj8Kl9wgTNhKaGvFrgl3hAYVB32WHZTBzK57FjHrSlbaRv66RhrKL45xTbIct/14gOjVwncv0iIKTvGbzdIdmLhRd8krTewVTWx4qCl92bvbEKVC7dZLbzSOXOJQ++QZN2Ry+2npIqT1Cyq4RYi41g4bHpIhnztSnxCtQ==
X-Forefront-Antispam-Report: CIP:140.32.59.234; CTRY:US; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM; H:mfe.dren.mil; PTR:mfe.dren.mil; CAT:NONE;
SFS:(13230001)(4636009)(86362001)(83380400001)(508600001)(3480700007)(336012)(7636003)(7596003)(426003)(1076003)(356005)(956004)(26005)(7116003)(786003)(316002)(70586007)(68406010)(8676002)(4326008)(2906002)(5660300002)(6862004);
DIR:OUT; SFP:1102;
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 04 May 2022 23:40:50.7569 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: b62c769c-8087-4a9c-2329-08da2e2785c1
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource: BN8NAM11FT047.eop-nam11.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN6PR01MB5198
X-OriginatorOrg: mitprod.onmicrosoft.com
X-BeenThere: kerberos@mit.edu
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/options/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos/>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
X-Mailman-Original-Message-ID: <202205042340.244Nem5a001656@hedwig.cmf.nrl.navy.mil>
X-Mailman-Original-References: <CALTuj66DozJM-mDHxYT9HjNKbS9YCUxhCphwhyVHZ5Ae_EpYAQ@mail.gmail.com>
View all headers
i was wondering if the question listed in the link below was ever answered
and if not, i was hoping you could provide please.
https://mailman.mit.edu/pipermail/kerberos/2010-September/016423.html

I can provide a quick summary:

- Current stock MIT Kerberos for Windows does not support pkinit (that's
  what you need to use Smartcards).

- People I work with have adapted the stock MIT Kerberos PKINIT plugin
  to work on Windows.

- We've talked with MIT about contributing this code back; it proceeds
  in fits and starts.  The last hold-up was getting a C language regular
  expression library with an acceptable license for MIT (I didn't
  think this would be a problem, but it turns out that it is).  We use
  a PCRE library for our distribution but that has it's own issues.
  Unfortunately the developers on that project lost their contract and
  there aren't currently resources to push that forward into something
  that MIT would find acceptable.

- To answer the specific question in that email message: stock MIT Kerberos
  works fine with PKINIT under OS X.  If you want to use it with
  Smartcards, you need a compatible PKCS#11 library.  If you are using
  the native smartcard support on OS X (which at the moment only
  supports PIV cards as far as I know), you can use Keychain-PKCS11.
  For other smartcards you could probably use OpenSC which provides
  a PKCS#11 library and support for smartcards that OS X does not
  support natively.  In the interests of full disclosure: I wrote
  Keychain-PKCS11 so I am obviously biased toward it.

--Ken


1
rocksolid light 0.7.2
clearneti2ptor