[opensuse] Kerberos & smartcard
Hi all, Anyone around who succeeded in doing a kinit, based on the credentials locked into a smartcard. Obviously not an amateur endeavour, so any experience with any distro / any version ? Started today exploring, with absolute zero access to the kerberos server. I can do a kinit providing username@REALM, and after supplying PWD, i do see with klist my TGT Q1) Is it enough to configure krb5.conf on the client? One search tells me: PKCS11:[module_name=]modname[:slotid=slot-id][:token=token-label][:certid=cert-id][:certlabel=cert-label] While another tells me that I also should provide the certificate of the kerberos-server Initially I'll test from inside, so hardly any firewall issues. But I know for sure, I'll have to ask to tweak our firewall, when trying from outside. Q2) Should opening of TCP-port 88 be enough, or is that impossible to predict? (and before telling, yes, i know this is rather client/server-time-critical) Kind regards, Hans -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
23.01.2018 00:27, suse@a-domani.nl пишет:
Hi all,
Anyone around who succeeded in doing a kinit, based on the credentials locked into a smartcard.
This requires kerberos server with PKI support. Do you have one? You use smartcard to store your certificate which is later used to authenticate you. So server must be able to use certificates instead of passwords and have your certificate (public part) to validate you. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2018-01-23 05:13, Andrei Borzenkov wrote:
23.01.2018 00:27, suse@a-domani.nl пишет:
Hi all,
Anyone around who succeeded in doing a kinit, based on the credentials locked into a smartcard.
This requires kerberos server with PKI support. Do you have one?
You use smartcard to store your certificate which is later used to authenticate you. So server must be able to use certificates instead of passwords and have your certificate (public part) to validate you.
According to friends, the server should have PKI support. So, next question is: Where and how should i incorporate next line in /etc/krb5.conf ? " PKCS11:[module_name=]modname[:slotid=slot-id][:token=token-label][:certid=cert-id][:certlabel=cert-label]" with pkcs11-tools I got the proper values of label and id, but where? I included some lines under the [realms] section, but that's not used. Kind regards, Hans -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (2)
-
Andrei Borzenkov -
suse@a-domani.nl