Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  nodelist  faq  login

A Linux machine! because a 486 is a terrible thing to waste! (By jjs@wintermute.ucr.edu, Joe Sloan)


computers / comp.protocols.kerberos / Re: windows and smartcards

SubjectAuthor
o Re: windows and smartcardsPrabin Tamang

1
Subject: Re: windows and smartcards
From: Prabin Tamang
Newsgroups: comp.protocols.kerberos
Organization: TNet Consulting
Date: Thu, 5 May 2022 05:11 UTC
References: 1 2 3 4 5
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!tncsrv06.tnetconsulting.net!.POSTED.mailman.mit.edu!not-for-mail
From: prabinta...@gmail.com (Prabin Tamang)
Newsgroups: comp.protocols.kerberos
Subject: Re: windows and smartcards
Date: Thu, 5 May 2022 01:11:52 -0400
Organization: TNet Consulting
Lines: 51
Message-ID: <mailman.49.1651730915.8148.kerberos@mit.edu>
References: <CALTuj66DozJM-mDHxYT9HjNKbS9YCUxhCphwhyVHZ5Ae_EpYAQ@mail.gmail.com>
<202205042340.244Nem5a001656@hedwig.cmf.nrl.navy.mil>
<CALTuj67zttXCUQtrLEOJLkv399-afzh2Lu-fnHesJY4dyjWV4g@mail.gmail.com>
<202205050200.24520jx6002513@hedwig.cmf.nrl.navy.mil>
<CALTuj67a3EZeOB6B8ydfrzyAoyaj7S7F80qzGhrBwab_7fj2cg@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Injection-Info: tncsrv06.tnetconsulting.net; posting-host="mailman.mit.edu:18.7.21.50";
logging-data="22765"; mail-complaints-to="newsmaster@tnetconsulting.net"
Cc: kerberos@mit.edu
To: Ken Hornstein <kenh@cmf.nrl.navy.mil>
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=mrX/TeqtjCJ88g/NMH6ab9AvVgmD5XYREXhOsn1YcPdMf7rS33Hpcwvn1OnMROeLzChpYBdLb1ub45DayFHMmGqEQBPEGnvJHnvCVY0LHeQkBjFpWme5hvjQyc2gl9LgjkhXcYbBEPrp6hP8r/yoduO8g2hC4qYiC1S+w0wSKTcbbbNr5WaawmrYVeaoLWhi2wZ8G1B0vWTJw/hkr7O7cTw2ofEog6W7ByP44MWg5zTvf9k7bBKxPmn9nO66i1yat1jxWNuz+d9I12UGrT3BZo9QBnWuiF08gPPniAOHMWrywjWUtLutFJVkzHHOnic4aXKKmUxR4SjyatZeJXqSYQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=EpFGbI0MBfLhgHo60DpeXitw44CjeBdg1XNhQWbgQ9s=;
b=NW9MWu/J0UOmMk8x46NLt5J48zo743zMLRBD/8xqFP9vZuCZLJvOuUTGbRUddeoJW2r8xcdyLqalOOBU1ysKM4MvzwRW4LR/kRilEllhFYpB4/NNEkQTb1ACvI5MOko1/WWrbnmc6KUq09T/oZLIzn4vRP8S93GRxlzqgfIksBvIr42DWuLxJj41bOu4M/wqPd+QN0w/NF4szOF8+wBFHCsZx1GN0dg5f+TC8V+0kbVqLlN3qxqBkyto/dMQR8u8z24SLUgZ2hjjdtvB0gGISjShcF+mH9Xrdqsf8VUB+ZLZdFIU5lco++wa2xz/PpDkEnNNPGUG8d7zMnZO7/bStQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
209.85.217.43) smtp.rcpttodomain=mit.edu smtp.mailfrom=gmail.com; dmarc=pass
(p=none sp=quarantine pct=100) action=none header.from=gmail.com; dkim=pass
(signature was verified) header.d=gmail.com; arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=EpFGbI0MBfLhgHo60DpeXitw44CjeBdg1XNhQWbgQ9s=;
b=qwH70LSDo9vNjQabMgz04DrLn8tMfJW5bdHf30Lqwk1kskH3UtqDoevj5B/5IJb0vJFU5+8NXV6qFnd99GEPJN6I575JC3lKILOubRjIO73kQHO0XYaOlQNimAtMeojajdiXquPyb9H6OOamaCdj/AfijPDt9+Bxo6d93JMxJd4=
Authentication-Results: spf=pass (sender IP is 209.85.217.43)
smtp.mailfrom=gmail.com; dkim=pass (signature was verified)
header.d=gmail.com;dmarc=pass action=none header.from=gmail.com;
Received-SPF: Pass (protection.outlook.com: domain of gmail.com designates
209.85.217.43 as permitted sender) receiver=protection.outlook.com;
client-ip=209.85.217.43; helo=mail-vs1-f43.google.com;
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112;
h=mime-version:references:in-reply-to:from:date:message-id:subject:to
:cc; bh=EpFGbI0MBfLhgHo60DpeXitw44CjeBdg1XNhQWbgQ9s=;
b=LPmFAiGRCTfXwhAsOZUjFUPgMiURtEcMm4OBc35SGJuq8vYzQ2vJqjoDbmcUjZmkTl
DvCvzJj0+nlQvzkxoauxr4q/oX6MQjRcPqIa7Kkk+h5I4pOuBqQy5j1YaDHEZ1LqSP0Q
sJ79Bz55U2y4/zFcXy6sifxX3PH+np8wnM9+Hm0VH5cQENAGWsNFbEqhOzT/quiE6IIX
In6FR3ipMG4WuJHFXSZJdRhlnkrmOIQhkCd2VH4VxzWPWy+iQA2nA5KFNcYvp2s2NuGD
2+9AopZIKvUpCB8222Zgx53xdx474nGQIexxTm3ZoDnNGsvlZ9966nd0CVEQfZAJVWMI
mrEw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20210112;
h=x-gm-message-state:mime-version:references:in-reply-to:from:date
:message-id:subject:to:cc;
bh=EpFGbI0MBfLhgHo60DpeXitw44CjeBdg1XNhQWbgQ9s=;
b=cIn+xaxxweWw625edI0I0Bi0HS0JY4b8Xsc8OiT+kEb3VLB3o1fX77fUK0FIl92g4I
sYJJgWjYaUkrIZaMlV14I5DTVy6IBzM2uUFemCbA0DCNi10z+jzsyFqcNhSdgbzctgXc
ZFKbQT50clkrWA0qLwkFs6Xmf5wjlK8WtOsEQe7VQUG+qooePmn19OrjC6pyBAcsSLRa
ujzMBYGRVuVerVx0/Twv4rHtLW/JleNX6zNuJAgv4rRfq7Tzv/L1G/UK4o68sKFRFp/y
TVSB48KhHJazCOdg+IJ6nB2MvKpgMzKlKfSbU/vuO3l1NYjya+flvt/xebmGBWhC5F4G
aHjw==
X-Gm-Message-State: AOAM532Ib8pcvkH3XKIeHUj1sc+KUL9U06gA6dAID+EV8FqjQrdkHnIk
bqK6M4GMaRPEXThPFXZ/Nf36QVSU454NJHpwZZH1ShDCryA=
X-Google-Smtp-Source: ABdhPJykfn5HODUe9CX9Gx3avxfnA7Q4iNeTp/pKjgNJoLHBr7FxRN8t2Y3jK5G5jzcdIRBJza24/EBWQnUqzLWo5Yo=
X-Received: by 2002:a05:6102:274f:b0:32c:c3f2:7235 with SMTP id
p15-20020a056102274f00b0032cc3f27235mr8520629vsu.82.1651727538401; Wed, 04
May 2022 22:12:18 -0700 (PDT)
In-Reply-To: <202205050200.24520jx6002513@hedwig.cmf.nrl.navy.mil>
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 7b373edf-7e6a-411d-1371-08da2e55d3e9
X-MS-TrafficTypeDiagnostic: CH0PR01MB7002:EE_
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-Microsoft-Antispam-PRVS: <CH0PR01MB70026B8D1E75CE55D28A2522C8C29@CH0PR01MB7002.prod.exchangelabs.com>
X-MS-Exchange-SenderADCheck: 0
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: OEcMTduP6X3JS8sxGA3+0OM33S049k21GVEdklICVVNzyuZx8GH/klamB8BrHCR1fp56bQAScr/2z0SG53VWbuJ6d44abEWCt9Rc2GKyX2ZqZqw/gjkb+KKkXtbbeEGOfzQTDLYoha1FRuq0my0SBorD5u6hsdZnplTg99otbMDhKTfC+cX5NAREwQkDAg49MLnOdvZuUFfSpCyfgJaKW4WHni4ZDWvHhdmszQOhY8Y7lkcQp/XSL12Y45ytVAESWnH+7jzlgKUbZvPccmr27bbkQvBPQsag5fsCyFboqtiQNLQwYO97iWthnDPt/qEDUK+qQeWvCLvIcuasdfxVqJ7IKlpw3DetBoPclsGVMH3WWvkyoS531EDQBDXq9MlO23uPc3rDb9TIeAijS4L5xpd3q7XIWN3kLVK0VBMshPnzsQ0cd8nFueeHN4msU2rW4TxtEbnbxbaJCMJcKDJ22URfZiQl2Dy85N38V9ww3kQGLIdZxkFKT1jNJON2obXmaNd3i9OPJ7IqFNUZZym4YIQ9CEiJ8NMQzm89TjTLPmcqDxQLw6NpR2YSK1ciSVOcrjP6WiPJxKb/EwDiUiojqhmfCjH60rhKlQLus8G/gisSWn+r4Z1JoTGtabnOIIF69y55LhyZmeziebpHPvq/sk+W3a+Qe3rFudaX+dsJixk=
X-Forefront-Antispam-Report: CIP:209.85.217.43; CTRY:US; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM; H:mail-vs1-f43.google.com; PTR:mail-vs1-f43.google.com;
CAT:NONE;
SFS:(13230001)(4636009)(84050400002)(82202003)(4326008)(53546011)(73392003)(7596003)(7636003)(70586007)(356005)(336012)(76482006)(2906002)(26005)(786003)(42186006)(316002)(508600001)(3480700007)(6666004)(45080400002)(5660300002)(7116003)(68406010)(83380400001)(8676002)(55446002)(86362001)(33964004)(6862004)(57042007);
DIR:OUT; SFP:1102;
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 05 May 2022 05:12:18.8711 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 7b373edf-7e6a-411d-1371-08da2e55d3e9
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource: BN8NAM11FT020.eop-nam11.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH0PR01MB7002
X-OriginatorOrg: mitprod.onmicrosoft.com
X-Mailman-Approved-At: Thu, 05 May 2022 02:08:33 -0400
X-Content-Filtered-By: Mailman/MimeDel 2.1.34
X-BeenThere: kerberos@mit.edu
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/options/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos/>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
X-Mailman-Original-Message-ID: <CALTuj67a3EZeOB6B8ydfrzyAoyaj7S7F80qzGhrBwab_7fj2cg@mail.gmail.com>
X-Mailman-Original-References: <CALTuj66DozJM-mDHxYT9HjNKbS9YCUxhCphwhyVHZ5Ae_EpYAQ@mail.gmail.com>
<202205042340.244Nem5a001656@hedwig.cmf.nrl.navy.mil>
<CALTuj67zttXCUQtrLEOJLkv399-afzh2Lu-fnHesJY4dyjWV4g@mail.gmail.com>
<202205050200.24520jx6002513@hedwig.cmf.nrl.navy.mil>
View all headers
gotcha, thank you very much for all the help.
I guess just out of curiosity:
- for windows: there are other tools such as heimdall and microsoft
kerberos. with those I don't know if you ever played around with them or
know if they support smartcard and pin authentication to get a ticket
manually.
manually meaning, get a ticket for a specified account with the use of
kinit or similar tools..

Prabin

On Wed, May 4, 2022 at 10:00 PM Ken Hornstein <kenh@cmf.nrl.navy.mil> wrote:

for more information on this"
- People I work with have adapted the stock MIT Kerberos PKINIT plugin
 to work on Windows.

Do you have any sort of documentation that you can point me to on how to
make this work with windows. And also Mac as, we also have Mac users.

Unfortunately, no (at least, not on Windows).

We compile our own Kerberos kit for Windows, which have the changes in
it to build the PKINIT plugin.  Actually, I believe it's worse than
that; from memory I believe we have a separate PKINIT plugin directory.
And ... the build environment is a huge mess there.  I don't recall that
the code changes are large (I didn't do them), but you do need to source
a windows-compatible regular expression library.  One of my long term
goals is to get us using as much stock MIT code as possible, but I never
did work out getting our changes to PKINIT to make it functional on Windows
into stock MIT Kerberos.  So, I can't really help you there.

Currently, my main focus is on windows machines, so, the steps I have done
to try to authenticate with a smartcard:
1. install MIT kerberos
2. Install opensc-pkcs11
3. use the following commands in the hope that it will use smartcard:
kinit -X x509_user_identity=PKCS11:path_to_PKCS11.dill

Right, I think you'll have more success with this on MacOS X.  The code
for Windows simply doesn't exist, at least in vanilla MIT Kerberos.  There
are a lot of pieces you need to make PKINIT work, so I'd start with a
platform where it at least is known to work.

--Ken



--
Thank you,
Prabin Tamang


1
rocksolid light 0.7.2
clearneti2ptor