Glenn,

From what I remember PK-INIT does not work when using PubKeyHash for SmartCard account mapping. You will need to use /etc/cacloginconfig.plist and the attribute mapping approach to use Apple’s PKINIT Authorization Plugin.
Alternatively you could build your own Authorization Plugin that either calls kinit or uses GSSAPI to generate a TGT while still using the PubKeyHash approach...

https://manuals.info.apple.com/en_US/Smart_Card_Setup_Guide.pdf

Tom Burgin [C]
Mac Support Engineer
(301) 443-3904
NIMH | IRTMB

From: Glenn Machin
Date: Monday, August 31, 2015 at 7:31 AM
To: "Burgin, Thomas (NIH/NIMH) [C]"
Cc: "smartcardservices-users@lists.macosforge.org"
Subject: Re: [EXTERNAL] Re: [SmartcardServices-Users] Pkinit working on MacOSX 10.9.5 or 10.10?

What I am looking for is the configuration of the MacOSX client.   When I monitor with wireshark the only time I can see a pkinit AS_REQ is using the commandline:

            kinit -C KEYCHAIN:

But only after I have already unlocked the PIV keychain.  

The MacOSX 10.9.5 or 10.10 systems have an /etc/krb5.conf that has the following pkinit configuration, under the realms stanza for both an MIT KDC and Windows KDC who are enabled for pkinit. Note you don't need the "krbtgt/realm@realm" in the KDC cert SAN if you set pkinit_require_krbtgt_otherName to false:

  pkinit_identities = KEYCHAIN:
  pkinit_anchors=FILE:/usr/local/kerberos/config/etc/pkinit/certificates/trusted-ca
  pkinit_require_crl_checking = false
  pkinit_kdc_hostname = Hostname_of_KDC
  pkinit_cert_match = &&<EKU>msScLogin,<KU>digitalSignature
  pkinit_cert_match = <SAN>.*@FEDIDCARD.GOV
  pkinit_require_krbtgt_otherName = false

The problem is I never see pam_opendirectory or pam_krb5 make a Kerberos authentication call (AS_REQ) using the PKINIT preauth data (image below).

After installing the smartcard services and doing the steps below, I can use the PIV for login and for screenlock, but no Kerberos calls take place.
  • security authorizationdb smartcard enable
  • Insert smartcard for USER
  • sc_auth accept -u USER –k PIV
An Apple document talked about configuring /etc/cacloginconfig.plist, which I did, but no change.

So I am curious if anyone has it working outside of using the kinit commandline?

Thanks

      Glenn
 


Kerberos AS_REQ using pkinit preauth data (padata):





On 8/30/15 9:12 PM, Burgin, Thomas (NIH/NIMH) [C] wrote:
I have had success with PK-INIT using a Windows KDC after building a proper SAN for the KDC cert. I am using attribute matching for SmartCard login.

https://github.com/tburgin/SANBuilder

I have not tried with an Open Directory server...

Sent from my iPhone


On Aug 30, 2015, at 9:22 PM, Glenn Machin <gmachin@sandia.gov> wrote:


The only way I can see a Kerberos AS_REQ using PKINIT is using the command line "kinit -C KEYCHAIN:".


Has anyone got PKINIT working via OpenDirectory  during login or via pam modules (pam_opendirectory or pam_krb5)?

Shame I don't see Apple publishing documents describing how to enable pkinit given federal government requirements for use of smartcards.
Seems like its the users helping users, while Apple keeps quiet.


Appreciate any help.



Glenn

_______________________________________________
SmartcardServices-Users mailing list
SmartcardServices-Users@lists.macosforge.orghttps://lists.macosforge.org/mailman/listinfo/smartcardservices-users