Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  nodelist  faq  login

And Bruce is effectively building BruceIX -- Alan Cox


computers / comp.protocols.kerberos / Re: windows and smartcards

SubjectAuthor
o Re: windows and smartcardsPrabin Tamang

1
Subject: Re: windows and smartcards
From: Prabin Tamang
Newsgroups: comp.protocols.kerberos
Organization: TNet Consulting
Date: Thu, 5 May 2022 01:20 UTC
References: 1 2 3
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!tncsrv06.tnetconsulting.net!.POSTED.mailman.mit.edu!not-for-mail
From: prabinta...@gmail.com (Prabin Tamang)
Newsgroups: comp.protocols.kerberos
Subject: Re: windows and smartcards
Date: Wed, 4 May 2022 21:20:12 -0400
Organization: TNet Consulting
Lines: 66
Message-ID: <mailman.48.1651716124.8148.kerberos@mit.edu>
References: <CALTuj66DozJM-mDHxYT9HjNKbS9YCUxhCphwhyVHZ5Ae_EpYAQ@mail.gmail.com>
<202205042340.244Nem5a001656@hedwig.cmf.nrl.navy.mil>
<CALTuj67zttXCUQtrLEOJLkv399-afzh2Lu-fnHesJY4dyjWV4g@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Injection-Info: tncsrv06.tnetconsulting.net; posting-host="mailman.mit.edu:18.7.21.50";
logging-data="31363"; mail-complaints-to="newsmaster@tnetconsulting.net"
Cc: kerberos@mit.edu
To: Ken Hornstein <kenh@cmf.nrl.navy.mil>
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=ZrCTCOHYMmMd5BauTSwNm51XMYuD+uAnsw/wAaEOj0OEgacocK0sUjFDAGRHBqMij+TNeFSp2FwVicZUzWJhoBLgXegqJAxpIYhqEDK73MI5RyQBHFbWXfKa3aucKKF3tB0/qC7cwiL3wU/sGMoq18j7ugKXwYZI3gPT1pKD9v82dWLvkDt0hKgUvVlj/rYeDe9v5cNf6PwU2jyzOyI3FRNtBxrHvhLNQr4eYaG9T/PlNM8qawnOfnmeha7XqvfdHvkOagwVyIzMKhT8ahTcs/PODAP8xu3zH9KhVJJ7XleanCK6PbKqUvzByQZekIMh52GZ3XearXLuvNsKRK6Gaw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=hUhwYTXKLEVSmhKcOcWqwrTOiAB33rwmXZJvvJN8K10=;
b=hZlUaCuHmQ9cXiYgF1l+YYyep1UjBGDwmvGH5WyfA1RPvpwgRmBvCE9CP+t63z9XiWEaY08Q6c/KhqMgPdhn8nDWghliZOwcIiwmXu5FEvTAC1dB0jdK78by9yoTFVEX7AmpD8iBsTgeMhb1d5X3VrD5ydpC5OtNerYf1uQaWG2BbfTj61U7ZE3yEJ70gq13nuyQowa9JAIPe4j/EKJ/My02i2JN11N3NnPxwjLVHz9kivZJ1Xw0/JkekAHPkMfNf/lpWVQEVXzG2V6VrpDzq0uiR/sIARNs1KJmX6AUMbrm/WjIGMJS7k3o9GFb5nVWZA1sv1/YbHNeQLFT/pVY0g==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
209.85.222.54) smtp.rcpttodomain=mit.edu smtp.mailfrom=gmail.com; dmarc=pass
(p=none sp=quarantine pct=100) action=none header.from=gmail.com; dkim=pass
(signature was verified) header.d=gmail.com; arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=hUhwYTXKLEVSmhKcOcWqwrTOiAB33rwmXZJvvJN8K10=;
b=UF4ee9bPpk5rp1y5dPCJSjZ/7EXlglEkoCUxBvSNdfLzs2ESpA0J7lXL8aglOanQ4yAtxfIxLxx1fKBTsWGpl7fRnxJQ29tY4dQf1xcLMfa62URTRx/1IXMH5f3W2lt+xufKXhDpQP42NeTQCR3YJs6uec0Zftfj2qjSlcD3meE=
Authentication-Results: spf=pass (sender IP is 209.85.222.54)
smtp.mailfrom=gmail.com; dkim=pass (signature was verified)
header.d=gmail.com;dmarc=pass action=none header.from=gmail.com;
Received-SPF: Pass (protection.outlook.com: domain of gmail.com designates
209.85.222.54 as permitted sender) receiver=protection.outlook.com;
client-ip=209.85.222.54; helo=mail-ua1-f54.google.com;
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112;
h=mime-version:references:in-reply-to:from:date:message-id:subject:to
:cc; bh=hUhwYTXKLEVSmhKcOcWqwrTOiAB33rwmXZJvvJN8K10=;
b=AsOuGJvZKWhDp8QsowoxMmb88kjdVyDHah3PXVIsBk78pB828aW/VlUIEmk9iYxXHH
uIqYsJwBgHIYtncQr6Kdc1Xpzcmt9yFVQhP8/xSxfvFWNqh2cJ5Omn+6wnFEANpLKaIk
BU+MB+y83ppb+6L5h5hW1vcYGi3t6qXV0JTl6CczyUEf43oUxfL5QGe6IwZjso7D6Wuo
wFb0uhpcOEtPIYS34cwYnTezam+8rMJATp9/uq6f5UGAJz9/BqsHkgIs34PQuo9+Di8b
vTXixasTemI08lDCVv3k8cMrfPxorxoKqmxa7VfE3hdsndjLZ1ueBiPb9aJNnzBtgMdo
uo5Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20210112;
h=x-gm-message-state:mime-version:references:in-reply-to:from:date
:message-id:subject:to:cc;
bh=hUhwYTXKLEVSmhKcOcWqwrTOiAB33rwmXZJvvJN8K10=;
b=muy9jWRBqRTuLUzeTB4X2gisztyR4ks6wCOFgs60Jx42wqk1FB05o/lzvGGDLmpkC1
2ILcmE3c5/60x65hG+2tX7c+UOPqnoxin/QSZNtRX/vv698ECApFcZnOEpIifZO8jORN
jZonVNnimW7sJ0BIBA8XutWLpfZkiigqOHoLanq8XsHgbv9saFr0ITEmURI5Bt/Q7W4V
C1Vjc/2LVY5CoPULY8ti+rgNZyyYzB5W1odlKb2wAoq9FpumdzX2SHk2+emEvMhxt3Kd
pt9LBajztRwLSBw+le9hYgejWhQm8NXjjLLOko/KHX7L+sr6NrLZ4aZ4SEbRkbjkBdnh
5TgA==
X-Gm-Message-State: AOAM531NFsGRgWfXuKVYAcTy1zoN8y9s7PWWDSUKSSFLN7SXYxnrsksE
4yXYqpn/9iYazkK5zVQK2A9ASyV8H+cKidVtpQbwzklh/lyxXw==
X-Google-Smtp-Source: ABdhPJxKfBcXk7hG1JfvHt2qgUkz8w/0uUDB308stA3FZKjgCJJgWUmRSgFwfPaE+BEsyqtuLQGjf5eklxhcBcb96Ks=
X-Received: by 2002:a9f:2046:0:b0:35d:bfc:2c9 with SMTP id
64-20020a9f2046000000b0035d0bfc02c9mr7605723uam.119.1651713637922;
Wed, 04 May 2022 18:20:37 -0700 (PDT)
In-Reply-To: <202205042340.244Nem5a001656@hedwig.cmf.nrl.navy.mil>
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 9bd5d99b-0453-4244-9065-08da2e35768e
X-MS-TrafficTypeDiagnostic: DM6PR01MB5449:EE_
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-Microsoft-Antispam-PRVS: <DM6PR01MB5449073015F07B668F6C7CF0C8C29@DM6PR01MB5449.prod.exchangelabs.com>
X-MS-Exchange-SenderADCheck: 0
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: tuvaoCIg+eJgiclJ05Yf6njMnlpWezr4rzZVUP36r5Tf52aKDdDfqmYVaqVf1rO0vpxLNnhNiJsmm66UEvZ5WvfPlbSS03EXuEN/B2RVDTQ5TzHD4rKS7plwxHJbMqucup4nEPEnwOOg1tMXe7P1A/QdUDY8QevqgfVaeF8xhvPfPL21eTFdEVM4/4cb/rsSSJgILeAcwifqFOQCCw/aqFD0nZjgNZqv6UUOcUwgCUrwKKXpy71hPLN6YsPfiHfIGQXFcs2xDUFmyU80d+2Of4wo55Iu+jmPdiU5ZIL2eMm1xS8fSpHgXQW76MFBXRLN6FPnpH1C4bbDrhUzMus+CqklKejUmRrP8xXJHW951oJmJ/OXaGs7kVLv27pytrZsU+odnXpMMj6mQD4R86myytW4sRlJk5Usa9hKAd+1dirZlBXGi9+qZulXSkbUlBXuLEr8vGXx03IoWMNExgzfwZceuoN09LlZQ099qoDuIKTG3wPQDmRIG0inI2F0QOghBoW676bzg62XhFV7E6b8EQ0Nms8qRlYpERYwvVOc/W5w1jwsGG2YeuK3psoyNLcH1VFDwGm+mQPt3/YH51BUFFcAnmL43qQ26W8pJIGXtHO97ywp/63qVE8l4/0QLpZFS+PrJUjDF1XfvGsFaTywycFSzoO4EKdTsu3HuBYm0OrVkLV8VPhAiQ6KqaKZWtZKlws6LwSbyhySzgk7ojuklZMdp5J6NuAg4o0i8Ecmw8Ca/zPZmkKQLDAm9KYT1Xt0
X-Forefront-Antispam-Report: CIP:209.85.222.54; CTRY:US; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM; H:mail-ua1-f54.google.com; PTR:mail-ua1-f54.google.com;
CAT:NONE;
SFS:(13230001)(4636009)(68406010)(70586007)(76482006)(83380400001)(3480700007)(6666004)(316002)(786003)(42186006)(7636003)(7596003)(166002)(7116003)(4326008)(8676002)(6862004)(356005)(508600001)(53546011)(55446002)(73392003)(33964004)(5660300002)(21615005)(26005)(336012)(86362001)(82202003)(2906002)(57042007);
DIR:OUT; SFP:1102;
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 05 May 2022 01:20:38.3545 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 9bd5d99b-0453-4244-9065-08da2e35768e
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource: BN8NAM11FT009.eop-nam11.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR01MB5449
X-OriginatorOrg: mitprod.onmicrosoft.com
X-Mailman-Approved-At: Wed, 04 May 2022 22:02:02 -0400
X-Content-Filtered-By: Mailman/MimeDel 2.1.34
X-BeenThere: kerberos@mit.edu
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/options/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos/>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
X-Mailman-Original-Message-ID: <CALTuj67zttXCUQtrLEOJLkv399-afzh2Lu-fnHesJY4dyjWV4g@mail.gmail.com>
X-Mailman-Original-References: <CALTuj66DozJM-mDHxYT9HjNKbS9YCUxhCphwhyVHZ5Ae_EpYAQ@mail.gmail.com>
<202205042340.244Nem5a001656@hedwig.cmf.nrl.navy.mil>
View all headers
Hi,

for more information on this"
- People I work with have adapted the stock MIT Kerberos PKINIT plugin
  to work on Windows.

Do you have any sort of documentation that you can point me to on how to
make this work with windows. And also Mac as, we also have Mac users.

Currently, my main focus is on windows machines, so, the steps I have done
to try to authenticate with a smartcard:
1. install MIT kerberos
2. Install opensc-pkcs11
3. use the following commands in the hope that it will use smartcard:
kinit -X x509_user_identity=PKCS11:path_to_PKCS11.dill

but I  have not been successful.

again, I am continuing this discussion because you mentioned that "people
have made it work with windows with the use of pkinit plugin".
and finally, I would like to say thank you very much for replying as this
was very helpful information.

Best,
Prabin

On Wed, May 4, 2022 at 7:40 PM Ken Hornstein <kenh@cmf.nrl.navy.mil> wrote:

i was wondering if the question listed in the link below was ever answered
and if not, i was hoping you could provide please.
https://mailman.mit.edu/pipermail/kerberos/2010-September/016423.html

I can provide a quick summary:

- Current stock MIT Kerberos for Windows does not support pkinit (that's
  what you need to use Smartcards).

- People I work with have adapted the stock MIT Kerberos PKINIT plugin
  to work on Windows.

- We've talked with MIT about contributing this code back; it proceeds
  in fits and starts.  The last hold-up was getting a C language regular
  expression library with an acceptable license for MIT (I didn't
  think this would be a problem, but it turns out that it is).  We use
  a PCRE library for our distribution but that has it's own issues.
  Unfortunately the developers on that project lost their contract and
  there aren't currently resources to push that forward into something
  that MIT would find acceptable.

- To answer the specific question in that email message: stock MIT Kerberos
  works fine with PKINIT under OS X.  If you want to use it with
  Smartcards, you need a compatible PKCS#11 library.  If you are using
  the native smartcard support on OS X (which at the moment only
  supports PIV cards as far as I know), you can use Keychain-PKCS11.
  For other smartcards you could probably use OpenSC which provides
  a PKCS#11 library and support for smartcards that OS X does not
  support natively.  In the interests of full disclosure: I wrote
  Keychain-PKCS11 so I am obviously biased toward it.

--Ken



--
Thank you,
Prabin Tamang


1
rocksolid light 0.7.2
clearneti2ptor