Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  nodelist  faq  login

When we write programs that "learn", it turns out we do and they don't.


computers / comp.protocols.kerberos / Re: windows and smartcards

SubjectAuthor
o Re: windows and smartcardsKen Hornstein

1
Subject: Re: windows and smartcards
From: Ken Hornstein
Newsgroups: comp.protocols.kerberos
Organization: TNet Consulting
Date: Thu, 5 May 2022 14:41 UTC
References: 1 2 3 4 5 6
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!tncsrv06.tnetconsulting.net!.POSTED.mailman.mit.edu!not-for-mail
From: ken...@cmf.nrl.navy.mil (Ken Hornstein)
Newsgroups: comp.protocols.kerberos
Subject: Re: windows and smartcards
Date: Thu, 05 May 2022 10:41:41 -0400
Organization: TNet Consulting
Lines: 23
Message-ID: <mailman.50.1651761726.8148.kerberos@mit.edu>
References: <CALTuj66DozJM-mDHxYT9HjNKbS9YCUxhCphwhyVHZ5Ae_EpYAQ@mail.gmail.com>
<202205042340.244Nem5a001656@hedwig.cmf.nrl.navy.mil>
<CALTuj67zttXCUQtrLEOJLkv399-afzh2Lu-fnHesJY4dyjWV4g@mail.gmail.com>
<202205050200.24520jx6002513@hedwig.cmf.nrl.navy.mil>
<CALTuj67a3EZeOB6B8ydfrzyAoyaj7S7F80qzGhrBwab_7fj2cg@mail.gmail.com>
<202205051441.245Effnu006676@hedwig.cmf.nrl.navy.mil>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Injection-Info: tncsrv06.tnetconsulting.net; posting-host="mailman.mit.edu:18.7.21.50";
logging-data="10170"; mail-complaints-to="newsmaster@tnetconsulting.net"
Cc: kerberos@mit.edu
To: Prabin Tamang <prabintamang1040@gmail.com>
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=EgyP7NZZ9p21xQUVX6N1xqJEvF5ynHP0XXbgjQtmCvhOCIE+LW683Mf06My76U3PiJD36ye1Ko3CAqXxnVkZ0u5voRRKDJzku7wowJXyM7QVrQQ5K0BlZpbxdtfh61yOpvohWQkcu834yc0HBo3hq7fVZ+UvGYJM/wruHXSIvGCLwXv18/Xq61JKqYVFGs5VhGNxSbAEV+UPqaD2dnwyDUAcHOPURI0WSMg0WLIfP5NLOoopmvdkH5CIePrYTjJTboVhEXlgIUUuHW4lhKMlZ9lFTV79icQQ8WWcxIr5FfFgHM96NGun/Q/aNDoI8dk8bjRx7K05dyJqvOuOIAnyqg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=jnfB/uT3z1VmkuG1SM4ynXYTqb7sg6WpSjcGXjHRQNU=;
b=buogIRW9KC7EPet2NqpOMceeWe4MqtJtQl6N52JmZJKmrY2fhYCldHb9zi/bewmuQVGhkqR6nD2nPBSAzrQCkzpTHZd4lmhQVmGXP6B79vXi76DTdmlRhMbcg9R1PdeTHS3dPGjfBJ1WGQ9zBq3imES+YiUM1vuov2qZ+6ECK9Zk2iv015dEKAXttHUGOjWcN16aMxVD7ciPFQYRMO0zwZxu7joV10m3EEi5Li5XppF4DguPNnfEtJn18JBGvwAR2TNJQIjQ9jaa+iYf69+usTyWrLCJhYX1uhOeYC4klaqFgIVME+5E7Dwx/iyJ5xkhRMf68fv5jmuRuEBtI7m4uw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
140.32.61.234) smtp.rcpttodomain=mit.edu smtp.mailfrom=cmf.nrl.navy.mil;
dmarc=pass (p=reject sp=reject pct=100) action=none
header.from=cmf.nrl.navy.mil; dkim=pass (signature was verified)
header.d=nrl.navy.mil; arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=jnfB/uT3z1VmkuG1SM4ynXYTqb7sg6WpSjcGXjHRQNU=;
b=J7s2lCOV9ZT1fulriocACv1DqKty06Dd88DUNerE6G0K0jaWIb54EGBHTz4Nk9BOz4XlloY+dmQ0z/fWjxpaeCk0/UwPVnPhFQoGZRl9qfTC2XUatDlEAC0Eosrzl7dQRe0XBiEyEOq1tzvEgtvWeLzJ3qNys4eVXhUje7oKhHg=
Authentication-Results: spf=pass (sender IP is 140.32.61.234)
smtp.mailfrom=cmf.nrl.navy.mil; dkim=pass (signature was verified)
header.d=nrl.navy.mil;dmarc=pass action=none header.from=cmf.nrl.navy.mil;
Received-SPF: Pass (protection.outlook.com: domain of cmf.nrl.navy.mil
designates 140.32.61.234 as permitted sender)
receiver=protection.outlook.com; client-ip=140.32.61.234; helo=mfw.dren.mil;
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nrl.navy.mil;
h=message-id : from :
to : cc : subject : in-reply-to : references : mime-version : content-type
: date; s=s2.dkim; bh=jnfB/uT3z1VmkuG1SM4ynXYTqb7sg6WpSjcGXjHRQNU=;
b=Iadcu0wlNQjPTRSz7/fyQ6yGGXTtMvPUITxS/JsmuUZeYHc50Z3hlKAaA2KX7j7sGG4k
WvdrtvcWDXSrHUemjfVYR57guKbCWqO8IQrDHnq+/YkHHm2uyMzGCBKvOCA31oh+cWMf
GlaCKiPJyE63BReBIA75781Jfx7a4Ax4gExZ2tN24Dmtrb3sfEBB3cqU/6EPjXa67fCX
rxU5Z6nmehBh851QK35kkYW82FYhtHwaM766e/9k5Bs//ATyta3273knzt8O6Qx1zKrM
DABp/jVpKdALQVCVDnFA5d9oSvWivrtXBMCZqqyBxB0hufpkeN1bPyOKWD7Z2gNGNsjS sg==
In-Reply-To: <CALTuj67a3EZeOB6B8ydfrzyAoyaj7S7F80qzGhrBwab_7fj2cg@mail.gmail.com>
X-Face: "Evs"_GpJ]],xS)b$T2#V&{KfP_i2`TlPrY$Iv9+TQ!6+`~+l)#7I)0xr1>4hfd{#0B4
WIn3jU;bql;{2Uq%zw5bF4?%F&&j8@KaT?#vBGk}u07<+6/`.F-3_GA@6Bq5gN9\+s;_d
gD\SW #]iN_U0 KUmOR.P<|um5yP<ea#^"SJK;C*}fMI;Mv(aiO2z~9n.w?@\>kEpSD@*e`
X-NRLCMF-Spam-Score: () hits=0 User Authenticated
X-NRLCMF-Virus-Scanned: No virus found
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 13ea4f14-bc11-496c-976f-08da2ea55f6e
X-MS-TrafficTypeDiagnostic: BN3PR01MB2148:EE_
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-Microsoft-Antispam-PRVS: <BN3PR01MB2148FF000C5DB7C18A079CFCACC29@BN3PR01MB2148.prod.exchangelabs.com>
X-MS-Exchange-SenderADCheck: 0
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: gLaBqDPhptcdhmp+2a77qx/As/zNyM7B7fqD6hQHpkKZeS6/BECXWcZ8QPqEZ8wfhdxqMWYwA8C5Yd9iT9dpU5D+V7iffZTqCumvpzn5VlIQqp05weHFwzfV8OKxsSs7Edq8RJBNvoMyXih02GXw/D7Z+herQE6wXHA/K7i50+fzU4mvAB4k3jNwFKf+uG1itqDf/RgvMkAknF+AB3k9CUTHZ6arnd67Mavnlo1+UKTr9rUaVganMmSES9AeVRNXwpm8CYFXYTCy+omitWu3jFhnkladxCir+IEqjIXkuCtmPIw9V4MOi/xkmueSlr9LGGj75cDNvZVcWoid+Ans4SPCFk3bQw+lVMztj1yndiBovTHj+THa3FR4H5eznNF9V91IMHlkUDIVwZhhF2mm4lpgfRn+ei5BmUN/FZw8wC6JSRQTgZyMGdsuEvYGHiK6IIvMjeyz7dDCjI5P4NaNZZqQ6Xpc8gmdlYY/1tAkT/0J4pSfCeJSoK+/3LHs5JHi6mkl+Zdr1wY6YYZ0tlqnjL6lowBeupdsstDUZWHInFsenn2R6RSWOEUb3L3V0nN9IMk5TE0xLcNtPQv/gmlEuk64GO+BvTwoRRihx8JdjoG0GETEbXvwlLfDsVFXPVCQ
X-Forefront-Antispam-Report: CIP:140.32.61.234; CTRY:US; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM; H:mfw.dren.mil; PTR:mfw.dren.mil; CAT:NONE;
SFS:(13230001)(4636009)(86362001)(45080400002)(83380400001)(1076003)(26005)(956004)(5660300002)(508600001)(7596003)(7636003)(356005)(4326008)(3480700007)(70586007)(68406010)(6862004)(336012)(2906002)(8676002)(426003)(316002)(786003)(7116003);
DIR:OUT; SFP:1102;
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 05 May 2022 14:41:43.0505 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 13ea4f14-bc11-496c-976f-08da2ea55f6e
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource: CO1NAM11FT037.eop-nam11.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN3PR01MB2148
X-OriginatorOrg: mitprod.onmicrosoft.com
X-BeenThere: kerberos@mit.edu
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/options/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos/>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
X-Mailman-Original-Message-ID: <202205051441.245Effnu006676@hedwig.cmf.nrl.navy.mil>
X-Mailman-Original-References: <CALTuj66DozJM-mDHxYT9HjNKbS9YCUxhCphwhyVHZ5Ae_EpYAQ@mail.gmail.com>
<202205042340.244Nem5a001656@hedwig.cmf.nrl.navy.mil>
<CALTuj67zttXCUQtrLEOJLkv399-afzh2Lu-fnHesJY4dyjWV4g@mail.gmail.com>
<202205050200.24520jx6002513@hedwig.cmf.nrl.navy.mil>
<CALTuj67a3EZeOB6B8ydfrzyAoyaj7S7F80qzGhrBwab_7fj2cg@mail.gmail.com>
View all headers
gotcha, thank you very much for all the help.
I guess just out of curiosity:
- for windows: there are other tools such as heimdall and microsoft
kerberos. with those I don't know if you ever played around with them or
know if they support smartcard and pin authentication to get a ticket
manually.
manually meaning, get a ticket for a specified account with the use of
kinit or similar tools..

Here's my limited, imperfect understanding of the situation.

- My understanding is that the Kerberos implementation supplied by Microsoft
  does implement PKINIT and works with smartcards.  But I am not sure if
  you can use it OUTSIDE of an Active Directory domain.

- It seems that Heimdal _does_ implement PKINIT.  But it's not clear to
  me that they support using PKCS#11 to sign the PKINIT request, which
  is the piece you need to make it work with Smartcards.  I mean, I see
  there is SOME PKCS#11 support, I just didn't see any calls to something
  like C_SignInit.  It's very possible I missed it.  You're going to have
  to investigate that on your own.

--Ken


1
rocksolid light 0.7.2
clearneti2ptor