On Fri, Feb 29, 2008 at 5:56 PM, Matthew Andrews wrote:
> Hash: SHA1
> I initially sent this to krbdev, but in retrospect it probably more
> rightly belongs here.
> Hello,
> I am attempting to set up pkinit authentication with the kerberos 1.6.3
> code, and havind trouble figuring out what is needed to get the kinit
> client to use pkinit. I am running the following command:
> /opt/krb-1.6.3/bin/kinit -X pkinit_identity=FILE:/tmp/x509up_u31675 -X
> pkinit_anchors=FILE:/opt/krb-1.6.3/var/krb5kdc/ca_certs/29c870c0.0 ma3d
> and see an as_req go out to the kdc without any pa_data, followed by an
> as_req with a padata field of type PA-ENCTYPE-INFO2 at which point kinit
> prompts my for ma3d's password. It seems that the client is not trying
> to use pkinit preauth data, so I figure I'm missing something, but I
> can't figure out exactly what.
> I've built the pkinit preauth module with the DEBUG macro defined, and
> see the folloing debug output.
> pkinit_init_plg_crypto: initializing openssl crypto context at 0x9f78ec0
> pkinit_client_plugin_init: returning plgctx at 0x9f70100
> (pkinit) received 'pkinit_identity' = 'FILE:/tmp/x509up_u31675'
> (pkinit) received 'pkinit_anchors' =
> 'FILE:/opt/krb-1.6.3/var/krb5kdc/ca_certs/29c870c0.0'
> pkinit_init_req_crypto: returning ctx at 0x9f6ffe8
> pkinit_init_identity_crypto: returning ctx at 0x9f7a0f0
> pkinit_client_req_init: returning reqctx at 0x9f7a0a8
> Password for ma3d@FSG.NERSC.GOV: ^C
> pkinit_client_req_fini: received reqctx at 0x9f7a0a8
> pkinit_fini_req_crypto: freeing ctx at 0x9f6ffe8
> pkinit_fini_identity_crypto: freeing ctx at 0x9f7a0f0
> kinit(v5): Password read interrupted while getting initial credentials
> pkinit_client_plugin_fini: got plgctx at 0x9f70100
> pkinit_fini_plg_crypto: freeing context at 0x9f78ec0
> Is there something obvious I'm missing here? If not, are there more
> informative debug messages that I can turn on beyond what is enabled
> just by defining DEBUG?
> by the way, how do most people define the DEBUG macro? adding it to
> CPPFLAGS via the top level configure invocation seems to break the build
> for me so I just stuck it into pkinit.h
> - -Matt Andrews

The obvious question is whether your KDC is properly configured for
pkinit? Also, is the client configured to require preauthentication?
If so, the KDC should offer the pkinit preauth method to the client in
a preauth-required message. Unlike the Heimdal client, the MIT client
will not send padata automatically just because you specified
pkinit_identity and pkinit_anchors.