Kevin Coffman wrote:

>On Tue, May 27, 2008 at 11:09 AM, naveen.bn
> wrote:
>
>
>>
>>---------- Forwarded message ----------
>>From: "naveen.bn"
>>To: Kevin Coffman
>>Date: Tue, 27 May 2008 15:06:25 +0000
>>Subject: Re: problem in sending AS_REQ
>>Kevin Coffman wrote:
>>
>>
>>
>>>On Mon, May 26, 2008 at 12:02 PM, naveen.bn
>>> wrote:
>>>
>>>
>>>
>>>>hi all,
>>>>This is my krb5.conf
>>>>********************* krb5.conf ******************************
>>>>[libdefaults]
>>>> default_realm = _kerberos._udp.globaledgesoft.com
>>>> krb4_config = /usr/kerberos/lib/krb.conf
>>>> krb5_realms = /usr/kerberos/lib/krb.realms
>>>> pkinit_anchors = FILE:/secure/ca-cert.pem
>>>>
>>>>[realms]
>>>> _kerberos._udp.globaledgesoft.com = {
>>>> admin_server = 172.16.8.141
>>>> kdc = 172.16.8.141
>>>> v4_instance_convert = {
>>>> gesl = _kerberos._udp.globaledgesoft.com
>>>> lithium = lithium.lcs. _kerberos._udp.globaledgesoft.com
>>>> }
>>>>
>>>> pkinit_identity = FILE:/secure/mycert.pem,/secure/mycert.key
>>>>
>>>> }
>>>> ANDREW.CMU.EDU = {
>>>> admin_server = 172.16.8.141
>>>> }
>>>># use "kdc =" if realm admins haven't put SRV records into DNS
>>>> GNU.ORG = {
>>>> kdc = 172.16.8.141
>>>> kdc = 172.16.9.141
>>>> admin_server = 172.16.8.141
>>>> }
>>>>
>>>>[domain_realm]
>>>> .globaledgesoft.com = _kerberos._udp.globaledgesoft.com
>>>> globaledgesoft.com = _kerberos._udp.globaledgesoft.com
>>>>
>>>>[logging]
>>>># kdc = CONSOLE
>>>> kdc=FILE:/var/krb5kdc.log
>>>> admin_server = FILE:/var/log/kadmin.log
>>>> default = FILE:/var/log/krb5lib.log
>>>>************************************************** *********************
>>>>and this is my kdc.conf
>>>>[kdcdefaults]
>>>> kdc_ports = 750,88
>>>> pkinit_identity=FILE:/secure/mycert.crt,/secure/mycert.key
>>>> pkinit_anchors=DIR:/secure/ca-cert.pem
>>>>
>>>>
>>>>
>>>For pkinit_anchors, you are specifying "DIR:", but giving a file name?
>>>
>>>
>>>
>>>
>>>>[realms]
>>>>_kerberos._udp.globaledgesoft.com = {
>>>> database_name = /usr/local/var/krb5kdc/principal
>>>> admin_keytab = FILE:/usr/local/var/krb5kdc/kadm5.keytab
>>>> acl_file = /usr/local/var/krb5kdc/kadm5.acl
>>>> key_stash_file =
>>>>/usr/local/var/krb5kdc/.k5._kerberos._udp.globaledgesoft.com
>>>> kdc_ports = 750,88
>>>> max_life = 10h 0m 0s
>>>> max_renewable_life = 7d 0h 0m 0s
>>>>
>>>> pkinit_identity=FILE:/secure/mycert.crt,/secure/mycert.key
>>>> pkinit_anchors=DIR:/secure/ca-cert.pem
>>>> }
>>>>
>>>>***************************************** kdc.conf **********************
>>>>I have used openssl program to generate the mycert.pem and key , but i
>>>>have not signed it with any ( neither self nor with ca ).
>>>>
>>>>
>>>>
>>>I'm not sure what you mean here. A certificate must be signed by
>>>someone/something. The client will not attempt preauth if the
>>>server's certificate is not trusted.
>>>
>>>
>>>
>>>
>>>>kinit -X X509_user_identity=FILE:/secure/mycert.pem,/secure/mycert.key
>>>>naveen
>>>>kinit(v5): Unknown code u8JW 88 while setting
>>>>'X509_user_identity'='FILE:/secure/mycert.pem,/secure/mycert.key
>>>>
>>>>
>>>>
>>>Obviously, there is a problem with that error code.
>>>
>>>
>>>
>>>
>>>>i am not able to send AS_REQ with pa data filled with certificates .
>>>>I am stuck her, please help me .
>>>>
>>>>thank you .
>>>>
>>>>with regards
>>>>naveen
>>>>
>>>>
>>>>
>>>The MIT client will not send pkinit information until the server
>>>indicates it will accept it. The server does this by indicating that
>>>the client principal requires preauthentication, and that pkinit is an
>>>acceptable form of preauthentication.
>>>
>>>Does the client principal have the requires_preauth flag set? Is the
>>>server telling the client that pkinit is an acceptable preauth method?
>>>
>>>
>>>
>>>

>>Hi kevin,
>>
>>Thank you for your replay it helped me. I had not set requires preauth flag
>>for the client. Now that i have set the flag i am getting the
>>KRB5KDC_ERR_PREAUTH_REQUIRED message from the kdc and then the client sends
>>a padata with encrypted timestamp and i am getting the ticket. But i want
>>to send certificates to kdc
>>and get the kdc certificates with dh parameters. pls kindly guide me .
>>And this is the concept that i have understood, please coorect me if i am
>>wrong .I need to generate the ca-cert.pem and ca-private.key using openssl
>>tool. Generate the RSA key for client like kdc.pem and kdc.key,
>>then signing the kdc.pem with the ca-private.key to generate kdc certificate
>>similarly for client and submite the paths of these files in there profiles
>>right.
>>
>>

>
>The certificates don't have to be created using openssl, but that is
>one way of doing it. If you do not currently have any PKI, then
>generating a self-signed CA certificate would be a good first step.
>
>This CA certificate can be used to sign a certificate for the KDC.
>The KDC's certificate must contain the proper Extended Key Usage (EKU)
>KeyPurposeId, to indicate it is intended to be used as a KDC
>
>>From section 3.2.4 of rfc4556:

>
> id-pkinit-KPKdc OBJECT IDENTIFIER ::=
> { iso(1) org(3) dod(6) internet(1) security(5) kerberosv5(2)
> pkinit(3) keyPurposeKdc(5) }
> -- Signing KDC responses.
> -- Key usage bits that MUST be consistent:
> -- digitalSignature.
>
>The client must possess the self-signed CA certificate, and have it
>listed as a trust anchor.
>
>If the reply from the KDC does not include pkinit as an acceptable
>preauth mechanism, then there is something wrong with your KDC
>configuration. If it is listed, then there is something wrong with
>your client configuration such that it doesn't trust the KDC.
>
>This message has some pointers on creating certs for use with pkinit
>with openssl:
>http://mailman.mit.edu/pipermail/krb...er/005180.html
>
>K.C.
>
>
>

Hi Kevin,

Thanks for your reply. I am still trying to send the AS_REQ with certificates(i.e., PA-PK-AS-REQ).
I have changed my kdc.conf krb5.conf files as specified below .
I have made use of the link you gave for configuring the openssl.cnf to generate the certificates.

This is how my openssl.cnf looks like
/********************* start of openssl.cnf *******************/

# OpenSSL example configuration file.
# This is mostly being used for generation of certificate requests.
#

# This definition stops the following lines choking if HOME isn't
# defined.
HOME = .
RANDFILE = $ENV::HOME/.rnd

# Extra OBJECT IDENTIFIER info:
#oid_file = $ENV::HOME/.oid
oid_section = new_oids

[ new_oids ]
[ ca ]
default_ca = CA_default # The default ca section

[ CA_default ]

dir = ./demoCA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
new_certs_dir = $dir/newcerts # default place for new certs.

certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem # The private key
RANDFILE = $dir/private/.rand # private random number file

x509_extensions = usr_cert # The extentions to add to the cert

default_days = 10000 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = sha1 # which md to use.
preserve = no # keep passed DN ordering
policy = policy_match

[ policy_match ]
countryName = optional
stateOrProvinceName = optional
organizationName = optional
organizationalUnitName = optional
commonName = optional
emailAddress = optional


[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional

[ req ]
default_bits = 1024
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
string_mask = nombstr

[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = IN
countryName_min = 2
countryName_max = 2

0.organizationName = Organization Name (eg, company)
0.organizationName_default = GlobalEdge Soft ltd
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default =
commonName = Common Name (eg, YOUR name)
commonName_max = 64

[ req_attributes ]

[ usr_cert ]

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment

[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints = CA:true

[ crl_ext ]
authorityKeyIdentifier=keyid:always,issuer:always

[ kdc_cert ]
basicConstraints=CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment, keyAgreement
extendedKeyUsage = 1.3.6.1.5.2.3.5
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
issuerAltName=issuer:copy
subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:kd c_princ_name

[kdc_princ_name]
realm = EXP:0, GeneralString:${ENV::REALM}
principal_name = EXP:1, SEQUENCE:kdc_principal_seq

[kdc_principal_seq]
name_type = EXP:0, INTEGER:1
name_string = EXP:1, SEQUENCE:kdc_principals

[kdc_principals]
princ1 = GeneralString:krbtgt
princ2 = GeneralString:${ENV::REALM}

[ client_cert ]
basicConstraints=CA:FALSE
keyUsage = digitalSignature, keyEncipherment, keyAgreement
extendedKeyUsage = 1.3.6.1.5.2.3.4
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCErinc_name
issuerAltName=issuer:copy

[princ_name]
realm = EXP:0, GeneralString:${ENV::REALM}
principal_name = EXP:1, SEQUENCErincipal_seq

[principal_seq]
name_type = EXP:0, INTEGER:1
name_string = EXP:1, SEQUENCErincipals

[principals]
princ1 = GeneralString:${ENV::CLIENT}

/***************** End of openssl.cnf ***************************/

I have set the environment variables REALM and CLIENT.

I have used the following commands to generate the certificates.

/************ CA certificates ***********/
openssl genrsa -out ca.key 2048
openssl req -new -key ca.key -out ca.csr
openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt

at the end of this i have ca.crt and ca.key which is self signed

/************* END of CA crt **************/

/************* Client certificate *********/

openssl genrsa -out client.key 2048
openssl req -new -key client.key -out client.csr
openssl x509 -req -days 365 -in client.csr -signkey ca.key -extensions client_cert -out client.crt

at the end of this i have client.crt and client.key which is signed by the ca.key

/************* END of client crt ***********/

/************* KDC certificate *************/

openssl genrsa -out kdc.key 2048
openssl req -new -key kdc.key -out kdc.csr
openssl x509 -req -days 365 -in kdc.csr -signkey ca.key -extensions kdc_cert -out kdc.crt

/************* END of KDC crt **************/

I am running both client and server in the same machine. I have kept the files {ca.crt,ca.key} in /ca , files
{kdc.crt,kdc.key} in /key and files {client.crt,client.key} in /client directories.


This is my new krb5.conf file.
/****************************** start of Krb5.conf *************************/

[libdefaults]
default_realm = _kerberos._udp.globaledgesoft.com
krb4_config = /usr/kerberos/lib/krb.conf
krb4_realms = /usr/kerberos/lib/krb.realms
pkinit_anchors = DIR:/ca/



[realms]
_kerberos._udp.globaledgesoft.com = {
kdc = 172.16.8.141
admin_server = 172.16.8.141
pkinit_identity = DIR:/client/
}
[kdc]
require-preauth = yes
pkinit_identity = DIR:/kdc/

[kadmin]
require-preauth = yes

[domain_realm]
.globaledgesoft.com = _kerberos._udp.globaledgesoft.com
globaledgesoft.com = _kerberos._udp.globaledgesoft.com

[logging]
kdc=FILE:/var/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log

/********************************* end of krb5.conf **************************/

This is my new kdc.conf file .

/********************************* start of kdc.conf ******************************/

[kdcdefaults]
kdc_ports = 750,88
pkinit_anchors = DIR:/ca/
pkinit_identity = DIR:/kdc/
[realms]
_kerberos._udp.globaledgesoft.com = {
database_name = /usr/local/var/krb5kdc/principal
admin_keytab = FILE:/usr/local/var/krb5kdc/kadm5.keytab
acl_file = /usr/local/var/krb5kdc/kadm5.acl
key_stash_file = /usr/local/var/krb5kdc/.k5._kerberos._udp.globaledgesoft.com
kdc_ports = 750,88
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s

pkinit_identity = FILE:/client/
}
[kdc]
require-preauth = yes
/********************************** end of kdc.conf ***********************************/


I also tried to generate the certificates using the link *http://acs.lbl.gov/~boverhof/openssl_certs.html*
and modified the kdc.conf and krb5.conf in place of specifying DIR, i have given the path of the file .pem
and .key in the profiles but it still isn't working.
I also have a doubt on whether to use .pem and .key format or .crt and .key format certificates,it would
be helpful if i get some guidence in generating certificates. Are the above configuration files right and
please do guide me in case there is mistake. Can you please send a link for client configuration if i am
wrong in configuring the client and/or kdc for pkinit and i am not using the smartcard.

Thank you for support.

With regards
naveen