[SmartcardServices-Users] [EXTERNAL] Re: Pkinit working on MacOSX 10.9.5 or 10.10?
Glenn Machin
gmachin at sandia.gov
Mon Aug 31 04:31:28 PDT 2015
What I am looking for is the configuration of the MacOSX client. When
I monitor with wireshark the only time I can see a pkinit AS_REQ is
using the commandline:
kinit -C KEYCHAIN:
But only after I have already unlocked the PIV keychain.
The MacOSX 10.9.5 or 10.10 systems have an /etc/krb5.conf that has the
following pkinit configuration, under the realms stanza for both an MIT
KDC and Windows KDC who are enabled for pkinit. Note you don't need the
"krbtgt/realm at realm" in the KDC cert SAN if you set
pkinit_require_krbtgt_otherName to false:
pkinit_identities = KEYCHAIN:
pkinit_anchors=FILE:/usr/local/kerberos/config/etc/pkinit/certificates/trusted-ca
pkinit_require_crl_checking = false
pkinit_kdc_hostname = Hostname_of_KDC
pkinit_cert_match = &&<EKU>msScLogin,<KU>digitalSignature
pkinit_cert_match = <SAN>.*@FEDIDCARD.GOV
pkinit_require_krbtgt_otherName = false
The problem is I never see pam_opendirectory or pam_krb5 make a Kerberos
authentication call (AS_REQ) using the PKINIT preauth data (image below).
After installing the smartcard services and doing the steps below, I can
use the PIV for login and for screenlock, but no Kerberos calls take place.
* security authorizationdb smartcard enable
* Insert smartcard for USER
* sc_auth accept -u USER –k PIV
An Apple document talked about configuring /etc/cacloginconfig.plist,
which I did, but no change.
So I am curious if anyone has it working outside of using the kinit
commandline?
Thanks
Glenn
Kerberos AS_REQ using pkinit preauth data (padata):
On 8/30/15 9:12 PM, Burgin, Thomas (NIH/NIMH) [C] wrote:
> I have had success with PK-INIT using a Windows KDC after building a proper SAN for the KDC cert. I am using attribute matching for SmartCard login.
>
> https://github.com/tburgin/SANBuilder
>
> I have not tried with an Open Directory server...
>
> Sent from my iPhone
>
>> On Aug 30, 2015, at 9:22 PM, Glenn Machin <gmachin at sandia.gov> wrote:
>>
>>
>> The only way I can see a Kerberos AS_REQ using PKINIT is using the command line "kinit -C KEYCHAIN:".
>>
>>
>> Has anyone got PKINIT working via OpenDirectory during login or via pam modules (pam_opendirectory or pam_krb5)?
>>
>> Shame I don't see Apple publishing documents describing how to enable pkinit given federal government requirements for use of smartcards.
>> Seems like its the users helping users, while Apple keeps quiet.
>>
>>
>> Appreciate any help.
>>
>>
>>
>> Glenn
>>
>> _______________________________________________
>> SmartcardServices-Users mailing list
>> SmartcardServices-Users at lists.macosforge.org
>> https://lists.macosforge.org/mailman/listinfo/smartcardservices-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.macosforge.org/pipermail/smartcardservices-users/attachments/20150831/1cba1b4b/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Screen Shot 2015-08-31 at 5.17.28 AM.png
Type: image/png
Size: 48280 bytes
Desc: not available
URL: <https://lists.macosforge.org/pipermail/smartcardservices-users/attachments/20150831/1cba1b4b/attachment-0001.png>
More information about the SmartcardServices-Users
mailing list