Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  nodelist  faq  login

Bringing computers into the home won't change either one, but may revitalize the corner saloon.


computers / comp.protocols.kerberos / Re: windows and smartcards

SubjectAuthor
o Re: windows and smartcardsKen Hornstein

1
Subject: Re: windows and smartcards
From: Ken Hornstein
Newsgroups: comp.protocols.kerberos
Organization: TNet Consulting
Date: Thu, 5 May 2022 02:00 UTC
References: 1 2 3 4
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!tncsrv06.tnetconsulting.net!.POSTED.mailman.mit.edu!not-for-mail
From: ken...@cmf.nrl.navy.mil (Ken Hornstein)
Newsgroups: comp.protocols.kerberos
Subject: Re: windows and smartcards
Date: Wed, 04 May 2022 22:00:45 -0400
Organization: TNet Consulting
Lines: 32
Message-ID: <mailman.47.1651716055.8148.kerberos@mit.edu>
References: <CALTuj66DozJM-mDHxYT9HjNKbS9YCUxhCphwhyVHZ5Ae_EpYAQ@mail.gmail.com>
<202205042340.244Nem5a001656@hedwig.cmf.nrl.navy.mil>
<CALTuj67zttXCUQtrLEOJLkv399-afzh2Lu-fnHesJY4dyjWV4g@mail.gmail.com>
<202205050200.24520jx6002513@hedwig.cmf.nrl.navy.mil>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Injection-Info: tncsrv06.tnetconsulting.net; posting-host="mailman.mit.edu:18.7.21.50";
logging-data="30134"; mail-complaints-to="newsmaster@tnetconsulting.net"
Cc: kerberos@mit.edu
To: Prabin Tamang <prabintamang1040@gmail.com>
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=hHuTDizcY5VOp7oPfEtUl71/eAi0+pygx1jjWAWSdKhOLTmM8pUh9nubif8UbOd9VOI/EAwsQ+KUwzPcEg4KHyQgryHXyBmzs6dSA6fq9Zd0u5HrbNiuLZTZ9p7MBMqIPyPy00eRHNPYJrlrQ1HIGsGohnSGKTP6+QJP8h5c+KDMoDXr3cSPYjQECagBn/8x7L8xSNi8q1hAc+S+s2R8GE+G245CRxyNoE5YF6sEFWDsYWRUeGMsQGEo+Ggl1I7pQJ4J4CEBVJYCyOQcO908yicaArSrgke9ORi1xxTkF7zOumxIhlTAU8UwrW+/iA7Ok554zz1AI9D8Uw5ZW/KRSw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=yHiGxeIhOziX4chRlU80YBDCz3OnsWcNIDZy6G4P9dE=;
b=BgNkpG2v9wm+exxvCmyjqQsUvi8kvoIRk/aN3QBdxL0YKMn1s6M2DGXJiLqnOjRUwW3hOMk+7hEbEbbp0agXG+lt9rt4SVOa4OpDQQK7aqw+RjiyaFbET0b9bW6Tx65iFFggZHskr6SJPUz1pocIa/O76W2hvtPggBm8Ogb0nQvjjC7weoupyIsdQU5qp71qIADOE59dTZgFfMYZ49kkyATI6hluYkVBwPToJYnXMk5gqHy44AVTujU6jjlLbfhMr93n9f86LFwJ0p9XQOOxDTS8qwCXLh9rJJJBn7UZLJ0xs2+YEcFQoctDXTuS9JItZ7VlMa3T6QMH84vyUJapMg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
140.32.61.234) smtp.rcpttodomain=mit.edu smtp.mailfrom=cmf.nrl.navy.mil;
dmarc=pass (p=reject sp=reject pct=100) action=none
header.from=cmf.nrl.navy.mil; dkim=pass (signature was verified)
header.d=nrl.navy.mil; arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=yHiGxeIhOziX4chRlU80YBDCz3OnsWcNIDZy6G4P9dE=;
b=LXkHuCtWYYy5qho6x8ix6IKr3UQPgN1Czg4WsKQL3cz0yCJEB+tJnPdmJU6SNcMY22Lg4M13KoG6HM2E3q8y2ia15yAriJwzNppCMUpV8G2A7YZj50o/zmfotQvjFjGyPfyvhSnaij2QtD0XXu/nRIzIqTUInNuDWHyw9jnHEEg=
Authentication-Results: spf=pass (sender IP is 140.32.61.234)
smtp.mailfrom=cmf.nrl.navy.mil; dkim=pass (signature was verified)
header.d=nrl.navy.mil;dmarc=pass action=none header.from=cmf.nrl.navy.mil;
Received-SPF: Pass (protection.outlook.com: domain of cmf.nrl.navy.mil
designates 140.32.61.234 as permitted sender)
receiver=protection.outlook.com; client-ip=140.32.61.234; helo=mfw.dren.mil;
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nrl.navy.mil;
h=message-id : from :
to : cc : subject : in-reply-to : references : mime-version : content-type
: date; s=s2.dkim; bh=yHiGxeIhOziX4chRlU80YBDCz3OnsWcNIDZy6G4P9dE=;
b=OFF7QU2/3nKOfJCLLZu5EkouZHjah8/tPGR9NWenJoOt2YXtxiVbZAhnVMHus21aDelE
8XdxBTphk33IyCfDLqJhbsQm1mXOYWlxvM+DnIwLKFnkbb1KU+Zva3RsIjqQA+g4n+oJ
qiATnzaJ9ZLYkRgO2UBpvu1p0lWD9W8FBgsWBZTuCK5mTAaECsFoKmgFRHzUNU53AIhy
RC+Ww7xIZ9b2LI8AtUF3XGhezi7x+nnRhbyoI6xbvER5ri/wkQ+Qs92wifAqfGVdfqQJ
YeEAlxFrPGozkaHP0qv2P7Rq3Z6LYADN3VWWftZ4H1XnCukNBHczkapY6HfUpy52GMnA oQ==
In-Reply-To: <CALTuj67zttXCUQtrLEOJLkv399-afzh2Lu-fnHesJY4dyjWV4g@mail.gmail.com>
X-Face: "Evs"_GpJ]],xS)b$T2#V&{KfP_i2`TlPrY$Iv9+TQ!6+`~+l)#7I)0xr1>4hfd{#0B4
WIn3jU;bql;{2Uq%zw5bF4?%F&&j8@KaT?#vBGk}u07<+6/`.F-3_GA@6Bq5gN9\+s;_d
gD\SW #]iN_U0 KUmOR.P<|um5yP<ea#^"SJK;C*}fMI;Mv(aiO2z~9n.w?@\>kEpSD@*e`
X-NRLCMF-Spam-Score: () hits=0 User Authenticated
X-NRLCMF-Virus-Scanned: No virus found
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 3eb98908-97c0-483b-1724-08da2e3b128d
X-MS-TrafficTypeDiagnostic: DM6PR01MB4362:EE_
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-Microsoft-Antispam-PRVS: <DM6PR01MB43629C3499A20004CACB73EAACC29@DM6PR01MB4362.prod.exchangelabs.com>
X-MS-Exchange-SenderADCheck: 0
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: st3gdVMBkv2b/PxCErY64g8A3UXA7erXmuVOkiFEziKX3RhQiNwE92xyDKdVHbqnsoPat7MOPIDCBh/YPkKqMw3DkjCDGRQ3OHRAEpf/4quH/xYMW++BgaO7K0LJHxQ3fT4guQbnlOe9AGJ3Qj+kyp8QG/8lvyzFhau9w73+FCyURFsUWDfXalsje/vtVbco8GcmUkJYgFCMRseL6s+RluxmCqex5Jre975AA1jhENYH7a7PxbH3q1I9WiFB6sKOHXvlm849y4KBuN/BnT8EqYcmGaYmVYQj1D9MKKiAMLmHciGmpcn3Bf3gI4zeeJcwtu88vX6gl0iaNl/NixqhnbFRZ73fb5AgfUFVModJjoOgvkBLt4FrePw/GcUezJHzsPnk9mYhFknaWebyEywJzLfB7heA4YBls2X+ltyt7/+5fVQYgoejIq6GZqSFk5qHl2n1n7KSwB28+y6n2lokLHFNQT+gIx0n3EYD1ZI40PWzNmaHJpw8qaQ5/vu/29Q5oOf/EytVYa47TSYAXUNxwPM30ZyizrEs1PI8aTeT3cXtluBkNENXEb4xePFUotHF/JsYQ7VkkYuR9jEiWco9tUZjFQXmnf3nDComif4Zy/hKc50hF7R1F0BQlCNUGHSDJ/OrbkGr5SX2V8ApCg1waXQf2Mm0sG4+Q2sPVCoGSsA=
X-Forefront-Antispam-Report: CIP:140.32.61.234; CTRY:US; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM; H:mfw.dren.mil; PTR:mfw.dren.mil; CAT:NONE;
SFS:(13230001)(4636009)(8676002)(6862004)(4326008)(336012)(426003)(70586007)(7116003)(7596003)(7636003)(68406010)(83380400001)(1076003)(786003)(316002)(956004)(86362001)(3480700007)(26005)(2906002)(356005)(5660300002)(508600001)(33906003);
DIR:OUT; SFP:1102;
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 05 May 2022 02:00:47.4124 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 3eb98908-97c0-483b-1724-08da2e3b128d
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource: CO1NAM11FT003.eop-nam11.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR01MB4362
X-OriginatorOrg: mitprod.onmicrosoft.com
X-BeenThere: kerberos@mit.edu
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/options/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos/>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
X-Mailman-Original-Message-ID: <202205050200.24520jx6002513@hedwig.cmf.nrl.navy.mil>
X-Mailman-Original-References: <CALTuj66DozJM-mDHxYT9HjNKbS9YCUxhCphwhyVHZ5Ae_EpYAQ@mail.gmail.com>
<202205042340.244Nem5a001656@hedwig.cmf.nrl.navy.mil>
<CALTuj67zttXCUQtrLEOJLkv399-afzh2Lu-fnHesJY4dyjWV4g@mail.gmail.com>
View all headers
for more information on this"
- People I work with have adapted the stock MIT Kerberos PKINIT plugin
 to work on Windows.

Do you have any sort of documentation that you can point me to on how to
make this work with windows. And also Mac as, we also have Mac users.

Unfortunately, no (at least, not on Windows).

We compile our own Kerberos kit for Windows, which have the changes in
it to build the PKINIT plugin.  Actually, I believe it's worse than
that; from memory I believe we have a separate PKINIT plugin directory.
And ... the build environment is a huge mess there.  I don't recall that
the code changes are large (I didn't do them), but you do need to source
a windows-compatible regular expression library.  One of my long term
goals is to get us using as much stock MIT code as possible, but I never
did work out getting our changes to PKINIT to make it functional on Windows
into stock MIT Kerberos.  So, I can't really help you there.

Currently, my main focus is on windows machines, so, the steps I have done
to try to authenticate with a smartcard:
1. install MIT kerberos
2. Install opensc-pkcs11
3. use the following commands in the hope that it will use smartcard:
kinit -X x509_user_identity=PKCS11:path_to_PKCS11.dill

Right, I think you'll have more success with this on MacOS X.  The code
for Windows simply doesn't exist, at least in vanilla MIT Kerberos.  There
are a lot of pieces you need to make PKINIT work, so I'd start with a
platform where it at least is known to work.

--Ken


1
rocksolid light 0.7.2
clearneti2ptor