Pkinit working on MacOSX 10.9.5 or 10.10?
The only way I can see a Kerberos AS_REQ using PKINIT is using the command line "kinit -C KEYCHAIN:". Has anyone got PKINIT working via OpenDirectory during login or via pam modules (pam_opendirectory or pam_krb5)? Shame I don't see Apple publishing documents describing how to enable pkinit given federal government requirements for use of smartcards. Seems like its the users helping users, while Apple keeps quiet. Appreciate any help. Glenn
I have had success with PK-INIT using a Windows KDC after building a proper SAN for the KDC cert. I am using attribute matching for SmartCard login. https://github.com/tburgin/SANBuilder I have not tried with an Open Directory server... Sent from my iPhone
On Aug 30, 2015, at 9:22 PM, Glenn Machin <gmachin@sandia.gov> wrote:
The only way I can see a Kerberos AS_REQ using PKINIT is using the command line "kinit -C KEYCHAIN:".
Has anyone got PKINIT working via OpenDirectory during login or via pam modules (pam_opendirectory or pam_krb5)?
Shame I don't see Apple publishing documents describing how to enable pkinit given federal government requirements for use of smartcards. Seems like its the users helping users, while Apple keeps quiet.
Appreciate any help.
Glenn
_______________________________________________ SmartcardServices-Users mailing list SmartcardServices-Users@lists.macosforge.org https://lists.macosforge.org/mailman/listinfo/smartcardservices-users
What I am looking for is the configuration of the MacOSX client. When I monitor with wireshark the only time I can see a pkinit AS_REQ is using the commandline: kinit -C KEYCHAIN: But only after I have already unlocked the PIV keychain. The MacOSX 10.9.5 or 10.10 systems have an /etc/krb5.conf that has the following pkinit configuration, under the realms stanza for both an MIT KDC and Windows KDC who are enabled for pkinit. Note you don't need the "krbtgt/realm@realm" in the KDC cert SAN if you set pkinit_require_krbtgt_otherName to false: pkinit_identities = KEYCHAIN: pkinit_anchors=FILE:/usr/local/kerberos/config/etc/pkinit/certificates/trusted-ca pkinit_require_crl_checking = false pkinit_kdc_hostname = Hostname_of_KDC pkinit_cert_match = &&<EKU>msScLogin,<KU>digitalSignature pkinit_cert_match = <SAN>.*@FEDIDCARD.GOV pkinit_require_krbtgt_otherName = false The problem is I never see pam_opendirectory or pam_krb5 make a Kerberos authentication call (AS_REQ) using the PKINIT preauth data (image below). After installing the smartcard services and doing the steps below, I can use the PIV for login and for screenlock, but no Kerberos calls take place. * security authorizationdb smartcard enable * Insert smartcard for USER * sc_auth accept -u USER –k PIV An Apple document talked about configuring /etc/cacloginconfig.plist, which I did, but no change. So I am curious if anyone has it working outside of using the kinit commandline? Thanks Glenn Kerberos AS_REQ using pkinit preauth data (padata): On 8/30/15 9:12 PM, Burgin, Thomas (NIH/NIMH) [C] wrote:
I have had success with PK-INIT using a Windows KDC after building a proper SAN for the KDC cert. I am using attribute matching for SmartCard login.
https://github.com/tburgin/SANBuilder
I have not tried with an Open Directory server...
Sent from my iPhone
On Aug 30, 2015, at 9:22 PM, Glenn Machin <gmachin@sandia.gov> wrote:
The only way I can see a Kerberos AS_REQ using PKINIT is using the command line "kinit -C KEYCHAIN:".
Has anyone got PKINIT working via OpenDirectory during login or via pam modules (pam_opendirectory or pam_krb5)?
Shame I don't see Apple publishing documents describing how to enable pkinit given federal government requirements for use of smartcards. Seems like its the users helping users, while Apple keeps quiet.
Appreciate any help.
Glenn
_______________________________________________ SmartcardServices-Users mailing list SmartcardServices-Users@lists.macosforge.org https://lists.macosforge.org/mailman/listinfo/smartcardservices-users
Glenn, From what I remember PK-INIT does not work when using PubKeyHash for SmartCard account mapping. You will need to use /etc/cacloginconfig.plist and the attribute mapping approach to use Apple’s PKINIT Authorization Plugin. Alternatively you could build your own Authorization Plugin that either calls kinit or uses GSSAPI to generate a TGT while still using the PubKeyHash approach... https://manuals.info.apple.com/en_US/Smart_Card_Setup_Guide.pdf Tom Burgin [C] Mac Support Engineer (301) 443-3904 NIMH | IRTMB From: Glenn Machin Date: Monday, August 31, 2015 at 7:31 AM To: "Burgin, Thomas (NIH/NIMH) [C]" Cc: "smartcardservices-users@lists.macosforge.org<mailto:smartcardservices-users@lists.macosforge.org>" Subject: Re: [EXTERNAL] Re: [SmartcardServices-Users] Pkinit working on MacOSX 10.9.5 or 10.10? What I am looking for is the configuration of the MacOSX client. When I monitor with wireshark the only time I can see a pkinit AS_REQ is using the commandline: kinit -C KEYCHAIN: But only after I have already unlocked the PIV keychain. The MacOSX 10.9.5 or 10.10 systems have an /etc/krb5.conf that has the following pkinit configuration, under the realms stanza for both an MIT KDC and Windows KDC who are enabled for pkinit. Note you don't need the "krbtgt/realm@realm" in the KDC cert SAN if you set pkinit_require_krbtgt_otherName to false: pkinit_identities = KEYCHAIN: pkinit_anchors=FILE:/usr/local/kerberos/config/etc/pkinit/certificates/trusted-ca pkinit_require_crl_checking = false pkinit_kdc_hostname = Hostname_of_KDC pkinit_cert_match = &&<EKU>msScLogin,<KU>digitalSignature pkinit_cert_match = <SAN>.*@FEDIDCARD.GOV<mailto:.*@FEDIDCARD.GOV> pkinit_require_krbtgt_otherName = false The problem is I never see pam_opendirectory or pam_krb5 make a Kerberos authentication call (AS_REQ) using the PKINIT preauth data (image below). After installing the smartcard services and doing the steps below, I can use the PIV for login and for screenlock, but no Kerberos calls take place. * security authorizationdb smartcard enable * Insert smartcard for USER * sc_auth accept -u USER –k PIV An Apple document talked about configuring /etc/cacloginconfig.plist, which I did, but no change. So I am curious if anyone has it working outside of using the kinit commandline? Thanks Glenn Kerberos AS_REQ using pkinit preauth data (padata): [cid:part1.04020208.00010504@sandia.gov] On 8/30/15 9:12 PM, Burgin, Thomas (NIH/NIMH) [C] wrote: I have had success with PK-INIT using a Windows KDC after building a proper SAN for the KDC cert. I am using attribute matching for SmartCard login. https://github.com/tburgin/SANBuilder I have not tried with an Open Directory server... Sent from my iPhone On Aug 30, 2015, at 9:22 PM, Glenn Machin <gmachin@sandia.gov><mailto:gmachin@sandia.gov> wrote: The only way I can see a Kerberos AS_REQ using PKINIT is using the command line "kinit -C KEYCHAIN:". Has anyone got PKINIT working via OpenDirectory during login or via pam modules (pam_opendirectory or pam_krb5)? Shame I don't see Apple publishing documents describing how to enable pkinit given federal government requirements for use of smartcards. Seems like its the users helping users, while Apple keeps quiet. Appreciate any help. Glenn _______________________________________________ SmartcardServices-Users mailing list SmartcardServices-Users@lists.macosforge.org<mailto:SmartcardServices-Users@lists.macosforge.org>https://lists.macosforge.org/mailman/listinfo/smartcardservices-users
Thanks for this, I wasn’t aware that was a flag for pkinit_require_krbtgt_otherName. Still I would think there is stronger trust with a KDC if this is enabled. Tom Burgin [C] Mac Support Engineer (301) 443-3904 NIMH | IRTMB From: "Burgin, Thomas (NIH/NIMH) [C]" Date: Monday, August 31, 2015 at 9:53 AM To: Glenn Machin Cc: "smartcardservices-users@lists.macosforge.org<mailto:smartcardservices-users@lists.macosforge.org>" Subject: Re: [EXTERNAL] Re: [SmartcardServices-Users] Pkinit working on MacOSX 10.9.5 or 10.10? Glenn, From what I remember PK-INIT does not work when using PubKeyHash for SmartCard account mapping. You will need to use /etc/cacloginconfig.plist and the attribute mapping approach to use Apple’s PKINIT Authorization Plugin. Alternatively you could build your own Authorization Plugin that either calls kinit or uses GSSAPI to generate a TGT while still using the PubKeyHash approach... https://manuals.info.apple.com/en_US/Smart_Card_Setup_Guide.pdf Tom Burgin [C] Mac Support Engineer (301) 443-3904 NIMH | IRTMB From: Glenn Machin Date: Monday, August 31, 2015 at 7:31 AM To: "Burgin, Thomas (NIH/NIMH) [C]" Cc: "smartcardservices-users@lists.macosforge.org<mailto:smartcardservices-users@lists.macosforge.org>" Subject: Re: [EXTERNAL] Re: [SmartcardServices-Users] Pkinit working on MacOSX 10.9.5 or 10.10? What I am looking for is the configuration of the MacOSX client. When I monitor with wireshark the only time I can see a pkinit AS_REQ is using the commandline: kinit -C KEYCHAIN: But only after I have already unlocked the PIV keychain. The MacOSX 10.9.5 or 10.10 systems have an /etc/krb5.conf that has the following pkinit configuration, under the realms stanza for both an MIT KDC and Windows KDC who are enabled for pkinit. Note you don't need the "krbtgt/realm@realm" in the KDC cert SAN if you set pkinit_require_krbtgt_otherName to false: pkinit_identities = KEYCHAIN: pkinit_anchors=FILE:/usr/local/kerberos/config/etc/pkinit/certificates/trusted-ca pkinit_require_crl_checking = false pkinit_kdc_hostname = Hostname_of_KDC pkinit_cert_match = &&<EKU>msScLogin,<KU>digitalSignature pkinit_cert_match = <SAN>.*@FEDIDCARD.GOV<mailto:.*@FEDIDCARD.GOV> pkinit_require_krbtgt_otherName = false The problem is I never see pam_opendirectory or pam_krb5 make a Kerberos authentication call (AS_REQ) using the PKINIT preauth data (image below). After installing the smartcard services and doing the steps below, I can use the PIV for login and for screenlock, but no Kerberos calls take place. * security authorizationdb smartcard enable * Insert smartcard for USER * sc_auth accept -u USER –k PIV An Apple document talked about configuring /etc/cacloginconfig.plist, which I did, but no change. So I am curious if anyone has it working outside of using the kinit commandline? Thanks Glenn Kerberos AS_REQ using pkinit preauth data (padata): [cid:part1.04020208.00010504@sandia.gov] On 8/30/15 9:12 PM, Burgin, Thomas (NIH/NIMH) [C] wrote: I have had success with PK-INIT using a Windows KDC after building a proper SAN for the KDC cert. I am using attribute matching for SmartCard login. https://github.com/tburgin/SANBuilder I have not tried with an Open Directory server... Sent from my iPhone On Aug 30, 2015, at 9:22 PM, Glenn Machin <gmachin@sandia.gov><mailto:gmachin@sandia.gov> wrote: The only way I can see a Kerberos AS_REQ using PKINIT is using the command line "kinit -C KEYCHAIN:". Has anyone got PKINIT working via OpenDirectory during login or via pam modules (pam_opendirectory or pam_krb5)? Shame I don't see Apple publishing documents describing how to enable pkinit given federal government requirements for use of smartcards. Seems like its the users helping users, while Apple keeps quiet. Appreciate any help. Glenn _______________________________________________ SmartcardServices-Users mailing list SmartcardServices-Users@lists.macosforge.org<mailto:SmartcardServices-Users@lists.macosforge.org>https://lists.macosforge.org/mailman/listinfo/smartcardservices-users
Le 29 août 2015 à 23:30, Glenn Machin <gmachin@sandia.gov> a écrit :
The only way I can see a Kerberos AS_REQ using PKINIT is using the command line "kinit -C KEYCHAIN: ».
Same behaviors here. I’m not able to use standard system in PKINIT system.
Has anyone got PKINIT working via OpenDirectory during login or via pam modules (pam_opendirectory or pam_krb5)?
Shame I don't see Apple publishing documents describing how to enable pkinit given federal government requirements for use of smartcards. Seems like its the users helping users, while Apple keeps quiet.
The only advice I can tell is to use Centrify Express. It’s free, it works, and it will be quick for you. Best regards, Yoann Gini
I did try it. It seemed like all it did, is what the Macforge smartcard services package does, along with installing the CA certificates for DOD (and maybe others) CAC cards. It was early on and I have a little better understanding now , so I will try again. We are also going to get the non-express version of Centrify to see if that enables pkinit with PIV for login and screenlock, I will let this email list know what I find. Thanks for the response, Glenn On 8/31/15 2:04 AM, Yoann Gini wrote:
Le 29 août 2015 à 23:30, Glenn Machin <gmachin@sandia.gov> a écrit :
The only way I can see a Kerberos AS_REQ using PKINIT is using the command line "kinit -C KEYCHAIN: ». Same behaviors here. I’m not able to use standard system in PKINIT system.
Has anyone got PKINIT working via OpenDirectory during login or via pam modules (pam_opendirectory or pam_krb5)?
Shame I don't see Apple publishing documents describing how to enable pkinit given federal government requirements for use of smartcards. Seems like its the users helping users, while Apple keeps quiet. The only advice I can tell is to use Centrify Express. It’s free, it works, and it will be quick for you.
Best regards, Yoann Gini
participants (3)
-
Burgin, Thomas (NIH/NIMH) [C]
-
Glenn Machin
-
Yoann Gini