• windows and smartcards

    From Prabin Tamang@21:1/5 to All on Tue May 3 14:20:58 2022
    HI,

    i was wondering if the question listed in the link below was ever answered
    and if not, i was hoping you could provide please. https://mailman.mit.edu/pipermail/kerberos/2010-September/016423.html

    --
    Thank you,
    Prabin Tamang

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Ken Hornstein@21:1/5 to Prabin Tamang on Wed May 4 19:40:48 2022
    Copy: kerberos@mit.edu

    i was wondering if the question listed in the link below was ever answered >and if not, i was hoping you could provide please. >https://mailman.mit.edu/pipermail/kerberos/2010-September/016423.html

    I can provide a quick summary:

    - Current stock MIT Kerberos for Windows does not support pkinit (that's
    what you need to use Smartcards).

    - People I work with have adapted the stock MIT Kerberos PKINIT plugin
    to work on Windows.

    - We've talked with MIT about contributing this code back; it proceeds
    in fits and starts. The last hold-up was getting a C language regular
    expression library with an acceptable license for MIT (I didn't
    think this would be a problem, but it turns out that it is). We use
    a PCRE library for our distribution but that has it's own issues.
    Unfortunately the developers on that project lost their contract and
    there aren't currently resources to push that forward into something
    that MIT would find acceptable.

    - To answer the specific question in that email message: stock MIT Kerberos
    works fine with PKINIT under OS X. If you want to use it with
    Smartcards, you need a compatible PKCS#11 library. If you are using
    the native smartcard support on OS X (which at the moment only
    supports PIV cards as far as I know), you can use Keychain-PKCS11.
    For other smartcards you could probably use OpenSC which provides
    a PKCS#11 library and support for smartcards that OS X does not
    support natively. In the interests of full disclosure: I wrote
    Keychain-PKCS11 so I am obviously biased toward it.

    --Ken

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Ken Hornstein@21:1/5 to Prabin Tamang on Wed May 4 22:00:45 2022
    Copy: kerberos@mit.edu

    for more information on this"
    - People I work with have adapted the stock MIT Kerberos PKINIT plugin
    to work on Windows.

    Do you have any sort of documentation that you can point me to on how to
    make this work with windows. And also Mac as, we also have Mac users.

    Unfortunately, no (at least, not on Windows).

    We compile our own Kerberos kit for Windows, which have the changes in
    it to build the PKINIT plugin. Actually, I believe it's worse than
    that; from memory I believe we have a separate PKINIT plugin directory.
    And ... the build environment is a huge mess there. I don't recall that
    the code changes are large (I didn't do them), but you do need to source
    a windows-compatible regular expression library. One of my long term
    goals is to get us using as much stock MIT code as possible, but I never
    did work out getting our changes to PKINIT to make it functional on Windows into stock MIT Kerberos. So, I can't really help you there.

    Currently, my main focus is on windows machines, so, the steps I have done
    to try to authenticate with a smartcard:
    1. install MIT kerberos
    2. Install opensc-pkcs11
    3. use the following commands in the hope that it will use smartcard:
    kinit -X x509_user_identity=PKCS11:path_to_PKCS11.dill

    Right, I think you'll have more success with this on MacOS X. The code
    for Windows simply doesn't exist, at least in vanilla MIT Kerberos. There
    are a lot of pieces you need to make PKINIT work, so I'd start with a
    platform where it at least is known to work.

    --Ken

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Prabin Tamang@21:1/5 to Ken Hornstein on Wed May 4 21:20:12 2022
    Copy: kerberos@mit.edu

    Hi,

    for more information on this"
    - People I work with have adapted the stock MIT Kerberos PKINIT plugin
    to work on Windows.

    Do you have any sort of documentation that you can point me to on how to
    make this work with windows. And also Mac as, we also have Mac users.

    Currently, my main focus is on windows machines, so, the steps I have done
    to try to authenticate with a smartcard:
    1. install MIT kerberos
    2. Install opensc-pkcs11
    3. use the following commands in the hope that it will use smartcard:
    kinit -X x509_user_identity=PKCS11:path_to_PKCS11.dill

    but I have not been successful.

    again, I am continuing this discussion because you mentioned that "people
    have made it work with windows with the use of pkinit plugin".
    and finally, I would like to say thank you very much for replying as this
    was very helpful information.

    Best,
    Prabin

    On Wed, May 4, 2022 at 7:40 PM Ken Hornstein <kenh@cmf.nrl.navy.mil> wrote:

    i was wondering if the question listed in the link below was ever answered >and if not, i was hoping you could provide please. >https://mailman.mit.edu/pipermail/kerberos/2010-September/016423.html

    I can provide a quick summary:

    - Current stock MIT Kerberos for Windows does not support pkinit (that's
    what you need to use Smartcards).

    - People I work with have adapted the stock MIT Kerberos PKINIT plugin
    to work on Windows.

    - We've talked with MIT about contributing this code back; it proceeds
    in fits and starts. The last hold-up was getting a C language regular
    expression library with an acceptable license for MIT (I didn't
    think this would be a problem, but it turns out that it is). We use
    a PCRE library for our distribution but that has it's own issues.
    Unfortunately the developers on that project lost their contract and
    there aren't currently resources to push that forward into something
    that MIT would find acceptable.

    - To answer the specific question in that email message: stock MIT Kerberos
    works fine with PKINIT under OS X. If you want to use it with
    Smartcards, you need a compatible PKCS#11 library. If you are using
    the native smartcard support on OS X (which at the moment only
    supports PIV cards as far as I know), you can use Keychain-PKCS11.
    For other smartcards you could probably use OpenSC which provides
    a PKCS#11 library and support for smartcards that OS X does not
    support natively. In the interests of full disclosure: I wrote
    Keychain-PKCS11 so I am obviously biased toward it.

    --Ken



    --
    Thank you,
    Prabin Tamang

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Prabin Tamang@21:1/5 to Ken Hornstein on Thu May 5 01:11:52 2022
    Copy: kerberos@mit.edu

    gotcha, thank you very much for all the help.
    I guess just out of curiosity:
    - for windows: there are other tools such as heimdall and microsoft
    kerberos. with those I don't know if you ever played around with them or
    know if they support smartcard and pin authentication to get a ticket
    manually.
    manually meaning, get a ticket for a specified account with the use of
    kinit or similar tools..

    Prabin

    On Wed, May 4, 2022 at 10:00 PM Ken Hornstein <kenh@cmf.nrl.navy.mil> wrote:

    for more information on this"
    - People I work with have adapted the stock MIT Kerberos PKINIT plugin
    to work on Windows.

    Do you have any sort of documentation that you can point me to on how to >make this work with windows. And also Mac as, we also have Mac users.

    Unfortunately, no (at least, not on Windows).

    We compile our own Kerberos kit for Windows, which have the changes in
    it to build the PKINIT plugin. Actually, I believe it's worse than
    that; from memory I believe we have a separate PKINIT plugin directory.
    And ... the build environment is a huge mess there. I don't recall that
    the code changes are large (I didn't do them), but you do need to source
    a windows-compatible regular expression library. One of my long term
    goals is to get us using as much stock MIT code as possible, but I never
    did work out getting our changes to PKINIT to make it functional on Windows into stock MIT Kerberos. So, I can't really help you there.

    Currently, my main focus is on windows machines, so, the steps I have done >to try to authenticate with a smartcard:
    1. install MIT kerberos
    2. Install opensc-pkcs11
    3. use the following commands in the hope that it will use smartcard:
    kinit -X x509_user_identity=PKCS11:path_to_PKCS11.dill

    Right, I think you'll have more success with this on MacOS X. The code
    for Windows simply doesn't exist, at least in vanilla MIT Kerberos. There are a lot of pieces you need to make PKINIT work, so I'd start with a platform where it at least is known to work.

    --Ken



    --
    Thank you,
    Prabin Tamang

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Ken Hornstein@21:1/5 to Prabin Tamang on Thu May 5 10:41:41 2022
    Copy: kerberos@mit.edu

    gotcha, thank you very much for all the help.
    I guess just out of curiosity:
    - for windows: there are other tools such as heimdall and microsoft
    kerberos. with those I don't know if you ever played around with them or
    know if they support smartcard and pin authentication to get a ticket >manually.
    manually meaning, get a ticket for a specified account with the use of
    kinit or similar tools..

    Here's my limited, imperfect understanding of the situation.

    - My understanding is that the Kerberos implementation supplied by Microsoft
    does implement PKINIT and works with smartcards. But I am not sure if
    you can use it OUTSIDE of an Active Directory domain.

    - It seems that Heimdal _does_ implement PKINIT. But it's not clear to
    me that they support using PKCS#11 to sign the PKINIT request, which
    is the piece you need to make it work with Smartcards. I mean, I see
    there is SOME PKCS#11 support, I just didn't see any calls to something
    like C_SignInit. It's very possible I missed it. You're going to have
    to investigate that on your own.

    --Ken

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)