[SmartcardServices-Users] [EXTERNAL] Re: Pkinit working on MacOSX 10.9.5 or 10.10?

Glenn Machin gmachin at sandia.gov
Mon Aug 31 04:31:28 PDT 2015 

What I am looking for is the configuration of the MacOSX client.   When 
I monitor with wireshark the only time I can see a pkinit AS_REQ is 
using the commandline:

             kinit -C KEYCHAIN:

But only after I have already unlocked the PIV keychain.

The MacOSX 10.9.5 or 10.10 systems have an /etc/krb5.conf that has the 
following pkinit configuration, under the realms stanza for both an MIT 
KDC and Windows KDC who are enabled for pkinit. Note you don't need the 
"krbtgt/realm at realm" in the KDC cert SAN if you set 
pkinit_require_krbtgt_otherName to false:

   pkinit_identities = KEYCHAIN:
pkinit_anchors=FILE:/usr/local/kerberos/config/etc/pkinit/certificates/trusted-ca
   pkinit_require_crl_checking = false
   pkinit_kdc_hostname = Hostname_of_KDC
   pkinit_cert_match = &&<EKU>msScLogin,<KU>digitalSignature
   pkinit_cert_match = <SAN>.*@FEDIDCARD.GOV
   pkinit_require_krbtgt_otherName = false

The problem is I never see pam_opendirectory or pam_krb5 make a Kerberos 
authentication call (AS_REQ) using the PKINIT preauth data (image below).

After installing the smartcard services and doing the steps below, I can 
use the PIV for login and for screenlock, but no Kerberos calls take place.

  * security authorizationdb smartcard enable
  * Insert smartcard for USER
  * sc_auth accept -u USER –k PIV

An Apple document talked about configuring /etc/cacloginconfig.plist, 
which I did, but no change.

So I am curious if anyone has it working outside of using the kinit 
commandline?

Thanks

       Glenn



Kerberos AS_REQ using pkinit preauth data (padata):





On 8/30/15 9:12 PM, Burgin, Thomas (NIH/NIMH) [C] wrote:
> I have had success with PK-INIT using a Windows KDC after building a proper SAN for the KDC cert. I am using attribute matching for SmartCard login.
>
> https://github.com/tburgin/SANBuilder
>
> I have not tried with an Open Directory server...
>
> Sent from my iPhone
>
>> On Aug 30, 2015, at 9:22 PM, Glenn Machin <gmachin at sandia.gov> wrote:
>>
>>
>> The only way I can see a Kerberos AS_REQ using PKINIT is using the command line "kinit -C KEYCHAIN:".
>>
>>
>> Has anyone got PKINIT working via OpenDirectory  during login or via pam modules (pam_opendirectory or pam_krb5)?
>>
>> Shame I don't see Apple publishing documents describing how to enable pkinit given federal government requirements for use of smartcards.
>> Seems like its the users helping users, while Apple keeps quiet.
>>
>>
>> Appreciate any help.
>>
>>
>>
>> Glenn
>>
>> _______________________________________________
>> SmartcardServices-Users mailing list
>> SmartcardServices-Users at lists.macosforge.org
>> https://lists.macosforge.org/mailman/listinfo/smartcardservices-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.macosforge.org/pipermail/smartcardservices-users/attachments/20150831/1cba1b4b/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Screen Shot 2015-08-31 at 5.17.28 AM.png
Type: image/png
Size: 48280 bytes
Desc: not available
URL: <https://lists.macosforge.org/pipermail/smartcardservices-users/attachments/20150831/1cba1b4b/attachment-0001.png>

More information about the SmartcardServices-Users mailing list