On Wed, May 28, 2008 at 9:06 AM, naveen.bn wrote:
> Kevin Coffman wrote:
>
> On Tue, May 27, 2008 at 11:09 AM, naveen.bn
> wrote:
>
>
> ---------- Forwarded message ----------
> From: "naveen.bn"
> To: Kevin Coffman
> Date: Tue, 27 May 2008 15:06:25 +0000
> Subject: Re: problem in sending AS_REQ
> Kevin Coffman wrote:
>
>
>
> On Mon, May 26, 2008 at 12:02 PM, naveen.bn
> wrote:
>
>
>
> hi all,
> This is my krb5.conf
> ********************* krb5.conf ******************************
> [libdefaults]
> default_realm = _kerberos._udp.globaledgesoft.com
> krb4_config = /usr/kerberos/lib/krb.conf
> krb5_realms = /usr/kerberos/lib/krb.realms
> pkinit_anchors = FILE:/secure/ca-cert.pem
>
> [realms]
> _kerberos._udp.globaledgesoft.com = {
> admin_server = 172.16.8.141
> kdc = 172.16.8.141
> v4_instance_convert = {
> gesl = _kerberos._udp.globaledgesoft.com
> lithium = lithium.lcs. _kerberos._udp.globaledgesoft.com
> }
>
> pkinit_identity = FILE:/secure/mycert.pem,/secure/mycert.key
>
> }
> ANDREW.CMU.EDU = {
> admin_server = 172.16.8.141
> }
> # use "kdc =" if realm admins haven't put SRV records into DNS
> GNU.ORG = {
> kdc = 172.16.8.141
> kdc = 172.16.9.141
> admin_server = 172.16.8.141
> }
>
> [domain_realm]
> .globaledgesoft.com = _kerberos._udp.globaledgesoft.com
> globaledgesoft.com = _kerberos._udp.globaledgesoft.com
>
> [logging]
> # kdc = CONSOLE
> kdc=FILE:/var/krb5kdc.log
> admin_server = FILE:/var/log/kadmin.log
> default = FILE:/var/log/krb5lib.log
> ************************************************** *********************
> and this is my kdc.conf
> [kdcdefaults]
> kdc_ports = 750,88
> pkinit_identity=FILE:/secure/mycert.crt,/secure/mycert.key
> pkinit_anchors=DIR:/secure/ca-cert.pem
>
>
>
> For pkinit_anchors, you are specifying "DIR:", but giving a file name?
>
>
>
>
> [realms]
> _kerberos._udp.globaledgesoft.com = {
> database_name = /usr/local/var/krb5kdc/principal
> admin_keytab = FILE:/usr/local/var/krb5kdc/kadm5.keytab
> acl_file = /usr/local/var/krb5kdc/kadm5.acl
> key_stash_file =
> /usr/local/var/krb5kdc/.k5._kerberos._udp.globaledgesoft.com
> kdc_ports = 750,88
> max_life = 10h 0m 0s
> max_renewable_life = 7d 0h 0m 0s
>
> pkinit_identity=FILE:/secure/mycert.crt,/secure/mycert.key
> pkinit_anchors=DIR:/secure/ca-cert.pem
> }
>
> ***************************************** kdc.conf **********************
> I have used openssl program to generate the mycert.pem and key , but i
> have not signed it with any ( neither self nor with ca ).
>
>
>
> I'm not sure what you mean here. A certificate must be signed by
> someone/something. The client will not attempt preauth if the
> server's certificate is not trusted.
>
>
>
>
> kinit -X X509_user_identity=FILE:/secure/mycert.pem,/secure/mycert.key
> naveen
> kinit(v5): Unknown code u8JW 88 while setting
> 'X509_user_identity'='FILE:/secure/mycert.pem,/secure/mycert.key
>
>
>
> Obviously, there is a problem with that error code.
>
>
>
>
> i am not able to send AS_REQ with pa data filled with certificates .
> I am stuck her, please help me .
>
> thank you .
>
> with regards
> naveen
>
>
>
> The MIT client will not send pkinit information until the server
> indicates it will accept it. The server does this by indicating that
> the client principal requires preauthentication, and that pkinit is an
> acceptable form of preauthentication.
>
> Does the client principal have the requires_preauth flag set? Is the
> server telling the client that pkinit is an acceptable preauth method?
>
>
>
>
> Hi kevin,
>
> Thank you for your replay it helped me. I had not set requires preauth flag
> for the client. Now that i have set the flag i am getting the
> KRB5KDC_ERR_PREAUTH_REQUIRED message from the kdc and then the client sends
> a padata with encrypted timestamp and i am getting the ticket. But i want
> to send certificates to kdc
> and get the kdc certificates with dh parameters. pls kindly guide me .
> And this is the concept that i have understood, please coorect me if i am
> wrong .I need to generate the ca-cert.pem and ca-private.key using openssl
> tool. Generate the RSA key for client like kdc.pem and kdc.key,
> then signing the kdc.pem with the ca-private.key to generate kdc certificate
> similarly for client and submite the paths of these files in there profiles
> right.
>
>
> The certificates don't have to be created using openssl, but that is
> one way of doing it. If you do not currently have any PKI, then
> generating a self-signed CA certificate would be a good first step.
>
> This CA certificate can be used to sign a certificate for the KDC.
> The KDC's certificate must contain the proper Extended Key Usage (EKU)
> KeyPurposeId, to indicate it is intended to be used as a KDC
>
> >From section 3.2.4 of rfc4556:

>
> id-pkinit-KPKdc OBJECT IDENTIFIER ::=
> { iso(1) org(3) dod(6) internet(1) security(5) kerberosv5(2)
> pkinit(3) keyPurposeKdc(5) }
> -- Signing KDC responses.
> -- Key usage bits that MUST be consistent:
> -- digitalSignature.
>
> The client must possess the self-signed CA certificate, and have it
> listed as a trust anchor.
>
> If the reply from the KDC does not include pkinit as an acceptable
> preauth mechanism, then there is something wrong with your KDC
> configuration. If it is listed, then there is something wrong with
> your client configuration such that it doesn't trust the KDC.
>
> This message has some pointers on creating certs for use with pkinit
> with openssl:
> http://mailman.mit.edu/pipermail/krb...er/005180.html
>
> K.C.
>
>
>
> Hi Kevin,
>
> Thanks for your reply. I am still trying to send the AS_REQ with
> certificates(i.e., PA-PK-AS-REQ).
> I have changed my kdc.conf krb5.conf files as specified below .
> I have made use of the link you gave for configuring the openssl.cnf to
> generate the certificates.
>
> This is how my openssl.cnf looks like
> /********************* start of openssl.cnf *******************/
>
> # OpenSSL example configuration file.
> # This is mostly being used for generation of certificate requests.
> #
>
> # This definition stops the following lines choking if HOME isn't
> # defined.
> HOME = .
> RANDFILE = $ENV::HOME/.rnd
>
> # Extra OBJECT IDENTIFIER info:
> #oid_file = $ENV::HOME/.oid
> oid_section = new_oids
>
> [ new_oids ]
> [ ca ]
> default_ca = CA_default # The default ca section
>
> [ CA_default ]
>
> dir = ./demoCA # Where everything is kept
> certs = $dir/certs # Where the issued certs are kept
> crl_dir = $dir/crl # Where the issued crl are kept
> database = $dir/index.txt # database index file.
> new_certs_dir = $dir/newcerts # default place for new certs.
>
> certificate = $dir/cacert.pem # The CA certificate
> serial = $dir/serial # The current serial number
> crl = $dir/crl.pem # The current CRL
> private_key = $dir/private/cakey.pem # The private key
> RANDFILE = $dir/private/.rand # private random number file
>
> x509_extensions = usr_cert # The extentions to add to the cert
>
> default_days = 10000 # how long to certify for
> default_crl_days= 30 # how long before next CRL
> default_md = sha1 # which md to use.
> preserve = no # keep passed DN ordering
> policy = policy_match
>
> [ policy_match ]
> countryName = optional
> stateOrProvinceName = optional
> organizationName = optional
> organizationalUnitName = optional
> commonName = optional
> emailAddress = optional
>
>
> [ policy_anything ]
> countryName = optional
> stateOrProvinceName = optional
> localityName = optional
> organizationName = optional
> organizationalUnitName = optional
> commonName = supplied
> emailAddress = optional
>
> [ req ]
> default_bits = 1024
> default_keyfile = privkey.pem
> distinguished_name = req_distinguished_name
> attributes = req_attributes
> x509_extensions = v3_ca # The extentions to add to the self signed cert
> string_mask = nombstr
>
> [ req_distinguished_name ]
> countryName = Country Name (2 letter code)
> countryName_default = IN
> countryName_min = 2
> countryName_max = 2
>
> 0.organizationName = Organization Name (eg, company)
> 0.organizationName_default = GlobalEdge Soft ltd
> organizationalUnitName = Organizational Unit Name (eg, section)
> organizationalUnitName_default =
> commonName = Common Name (eg, YOUR name)
> commonName_max = 64
>
> [ req_attributes ]
>
> [ usr_cert ]
>
> [ v3_req ]
> basicConstraints = CA:FALSE
> keyUsage = nonRepudiation, digitalSignature, keyEncipherment
>
> [ v3_ca ]
> subjectKeyIdentifier=hash
> authorityKeyIdentifier=keyid:always,issuer:always
> basicConstraints = CA:true
>
> [ crl_ext ]
> authorityKeyIdentifier=keyid:always,issuer:always
>
> [ kdc_cert ]
> basicConstraints=CA:FALSE
> keyUsage = nonRepudiation, digitalSignature, keyEncipherment, keyAgreement
> extendedKeyUsage = 1.3.6.1.5.2.3.5
> subjectKeyIdentifier=hash
> authorityKeyIdentifier=keyid,issuer
> issuerAltName=issuer:copy
> subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:kd c_princ_name
>
> [kdc_princ_name]
> realm = EXP:0, GeneralString:${ENV::REALM}
> principal_name = EXP:1, SEQUENCE:kdc_principal_seq
>
> [kdc_principal_seq]
> name_type = EXP:0, INTEGER:1
> name_string = EXP:1, SEQUENCE:kdc_principals
>
> [kdc_principals]
> princ1 = GeneralString:krbtgt
> princ2 = GeneralString:${ENV::REALM}
>
> [ client_cert ]
> basicConstraints=CA:FALSE
> keyUsage = digitalSignature, keyEncipherment, keyAgreement
> extendedKeyUsage = 1.3.6.1.5.2.3.4
> subjectKeyIdentifier=hash
> authorityKeyIdentifier=keyid,issuer
> subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCErinc_name
> issuerAltName=issuer:copy
>
> [princ_name]
> realm = EXP:0, GeneralString:${ENV::REALM}
> principal_name = EXP:1, SEQUENCErincipal_seq
>
> [principal_seq]
> name_type = EXP:0, INTEGER:1
> name_string = EXP:1, SEQUENCErincipals
>
> [principals]
> princ1 = GeneralString:${ENV::CLIENT}
>
> /***************** End of openssl.cnf ***************************/
>
> I have set the environment variables REALM and CLIENT.
>
> I have used the following commands to generate the certificates.
>
> /************ CA certificates ***********/
> openssl genrsa -out ca.key 2048
> openssl req -new -key ca.key -out ca.csr
> openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt
>
> at the end of this i have ca.crt and ca.key which is self signed
>
> /************* END of CA crt **************/
>
> /************* Client certificate *********/
>
> openssl genrsa -out client.key 2048
> openssl req -new -key client.key -out client.csr
> openssl x509 -req -days 365 -in client.csr -signkey ca.key -extensions
> client_cert -out client.crt
>
> at the end of this i have client.crt and client.key which is signed by the
> ca.key
>
> /************* END of client crt ***********/
>
> /************* KDC certificate *************/
>
> openssl genrsa -out kdc.key 2048
> openssl req -new -key kdc.key -out kdc.csr
> openssl x509 -req -days 365 -in kdc.csr -signkey ca.key -extensions kdc_cert
> -out kdc.crt
>
> /************* END of KDC crt **************/
>
> I am running both client and server in the same machine. I have kept the
> files {ca.crt,ca.key} in /ca , files
> {kdc.crt,kdc.key} in /key and files {client.crt,client.key} in /client
> directories.
>
>
> This is my new krb5.conf file.
> /****************************** start of Krb5.conf
> *************************/
>
> [libdefaults]
> default_realm = _kerberos._udp.globaledgesoft.com
> krb4_config = /usr/kerberos/lib/krb.conf
> krb4_realms = /usr/kerberos/lib/krb.realms
> pkinit_anchors = DIR:/ca/
>
>
>
> [realms]
> _kerberos._udp.globaledgesoft.com = {
> kdc = 172.16.8.141
> admin_server = 172.16.8.141
> pkinit_identity = DIR:/client/
> }
> [kdc]
> require-preauth = yes
> pkinit_identity = DIR:/kdc/
>
> [kadmin]
> require-preauth = yes
>
> [domain_realm]
> .globaledgesoft.com = _kerberos._udp.globaledgesoft.com
> globaledgesoft.com = _kerberos._udp.globaledgesoft.com
>
> [logging]
> kdc=FILE:/var/krb5kdc.log
> admin_server = FILE:/var/log/kadmin.log
> default = FILE:/var/log/krb5lib.log
>
> /********************************* end of krb5.conf
> **************************/
>
> This is my new kdc.conf file .
>
> /********************************* start of kdc.conf
> ******************************/
>
> [kdcdefaults]
> kdc_ports = 750,88
> pkinit_anchors = DIR:/ca/
> pkinit_identity = DIR:/kdc/
> [realms]
> _kerberos._udp.globaledgesoft.com = {
> database_name = /usr/local/var/krb5kdc/principal
> admin_keytab = FILE:/usr/local/var/krb5kdc/kadm5.keytab
> acl_file = /usr/local/var/krb5kdc/kadm5.acl
> key_stash_file =
> /usr/local/var/krb5kdc/.k5._kerberos._udp.globaledgesoft.com
> kdc_ports = 750,88
> max_life = 10h 0m 0s
> max_renewable_life = 7d 0h 0m 0s
>
> pkinit_identity = FILE:/client/
> }
> [kdc]
> require-preauth = yes
> /********************************** end of kdc.conf
> ***********************************/
>
> I also tried to generate the certificates using the link
> http://acs.lbl.gov/~boverhof/openssl_certs.html
> and modified the kdc.conf and krb5.conf in place of specifying DIR, i have
> given the path of the file .pem
> and .key in the profiles but it still isn't working.
> I also have a doubt on whether to use .pem and .key format or .crt and .key
> format certificates,it would
> be helpful if i get some guidence in generating certificates. Are the above
> configuration files right and
> please do guide me in case there is mistake. Can you please send a link for
> client configuration if i am
> wrong in configuring the client and/or kdc for pkinit and i am not using the
> smartcard.
>
> Thank you for support.
>
> With regards
> naveen


Unfortunately, I don't have the time right now to guide you. Below is
an example of my test KDC's kdc.conf and client's krb5.conf. As Russ
pointed out, your realm name is _highly_ unconventional, and is highly
likely to cause problems. I don't know if it has anything to do with
any problems you are currently seeing. Conventionally, your realm
name should be GLOBALEDGESOFT.COM (upper-case of your domain name).
Besides that, your config files look reasonable. Without seeing the
contents of the /ca and /kdc directories, and the contents of the
certificates within them, I can't say more.

The contents of the cert and key files are expected to be in PEM
format. Their names aren't important. See
http://www.mit.edu/~kerberos/krb5-1....rb5-admin.html
for more info on the config options.

You *may* get more help by compiling the pkinit preauth plugin code
with -DDEBUG, which will cause it to print more information to stdout.

K.C.

---- example kdc.conf ----

[kdcdefaults]
default_realm = KWCTEST.CITI.UMICH.EDU
kdc_ports = 750,88
kdc_tcp_ports = 88
v4_mode = nopreauth

[realms]
KWCTEST.CITI.UMICH.EDU = {
database_name = /usr/local/krb5/var/krb5kdc/KWCTEST/principal
admin_keytab = /usr/local/krb5/var/krb5kdc/KWCTEST/kadm5.keytab
acl_file = /usr/local/krb5/var/krb5kdc/KWCTEST/kadm5.acl
dict_file = /usr/local/krb5/var/krb5kdc/kadm5.dict
key_stash_file =
/usr/local/krb5/var/krb5kdc/KWCTEST/.k5.KWCTEST.CITI.UMICH.EDU
supported_enctypes = aes256-cts:normal aes128-cts:normal
des3-hmac-sha1:normal des-cbc-crc:normal des-cbc-crc:afs3
kadmind_port = 749
pkinit_pool = FILE:/etc/grid-security/certificates/ca-intermediates.crt
pkinit_revoke = DIR:/etc/grid-security/certificates
pkinit_identity=FILE:/usr/local/krb5/var/krb5kdc/KWCTEST/kwctest_KDC.crt,/usr/local/krb5/var/krb5kdc/KWCTEST/kwctest_KDC.key
pkinit_anchors=FILE:/etc/grid-security/certificates/ca-bundle.crt
pkinit_anchors=FILE:/etc/grid-security/certificates/doe-ca.crt
pkinit_allow_upn = true
pkinit_eku_checking = none
}


---- example krb5.conf ----
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = KWCTEST.CITI.UMICH.EDU
dns_lookup_realm = true
dns_lookup_kdc = true
noaddresses = true
no-addresses = true
forwardable = true
pkinit_anchors = DIR:/etc/grid-security/certificates

KWCTEST.CITI.UMICH.EDU = {
pkinit_require_eku = true
pkinit_require_krbtgt_otherName = true
pkinit_require_hostname_match = true
}

[realms]

KWCTEST.CITI.UMICH.EDU = {
kdc = rock.citi.umich.edu
admin_server = rock.citi.umich.edu
}

[domain_realm]
rock.citi.umich.edu = KWCTEST.CITI.UMICH.EDU
roll.citi.umich.edu = KWCTEST.CITI.UMICH.EDU