Authenticating on kerberos via certifates - Kerberos

This is a discussion on Authenticating on kerberos via certifates - Kerberos ; Hi all, I'm facing with this problem: I have a working authentication configure system that uses Kerberos for authentication. The credentials that have to be passed in order to obtain a TGT are username and password. Now I'm looking for ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: Authenticating on kerberos via certifates

  1. Authenticating on kerberos via certifates

    Hi all,
    I'm facing with this problem:

    I have a working authentication configure system that uses Kerberos
    for authentication. The credentials that have to be passed in order to
    obtain a TGT are username and password. Now I'm looking for some hint
    on how to authenticate on kerberos through certificates like X.509.

    This is what I want:

    Let's assume that an user has a valid certificate created by a CA. The
    user can authenticate himself without prompting any user/pwd but just
    having the certificate. According to you is it possible to construct
    an intermediate layer between the user and kerberos which maps the
    certificates in credentials allowing Kerberos to authenticate the user
    himself.

    Thanks in advance,
    Andrea

  2. Re: Authenticating on kerberos via certifates



    Andrea wrote:
    > Hi all,
    > I'm facing with this problem:
    >
    > I have a working authentication configure system that uses Kerberos
    > for authentication. The credentials that have to be passed in order to
    > obtain a TGT are username and password. Now I'm looking for some hint
    > on how to authenticate on kerberos through certificates like X.509.
    >
    > This is what I want:
    >
    > Let's assume that an user has a valid certificate created by a CA. The
    > user can authenticate himself without prompting any user/pwd but just
    > having the certificate. According to you is it possible to construct
    > an intermediate layer between the user and kerberos which maps the
    > certificates in credentials allowing Kerberos to authenticate the user
    > himself.


    Yes, that is called PKINIT, Heimdal and MIT have just introduced this
    late last year. Windows has also supported this since W2000, as smart
    card login. All three have clients and KDCs, and can intreroperate.

    On Unix for login at the console you will also need a pam_krb5 like
    http://www.eyrie.org/~eagle/software/pam-krb5/

    Usually the certificate and private key are on a smartcard. So also see
    http://www.opensc-project.org/

    >
    > Thanks in advance,
    > Andrea
    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos
    >
    >


    --

    Douglas E. Engert
    Argonne National Laboratory
    9700 South Cass Avenue
    Argonne, Illinois 60439
    (630) 252-5444

+ Reply to Thread