<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;">
<div>
<div style="color: rgb(0, 0, 0); font-family: Calibri, sans-serif; font-size: 14px;">
Glenn,</div>
<div style="color: rgb(0, 0, 0); font-family: Calibri, sans-serif; font-size: 14px;">
<br>
</div>
<div><font face="Calibri,sans-serif">From what I remember PK-INIT does not work when using PubKeyHash for SmartCard account mapping. You will need to use </font><font face="Calibri,sans-serif">/etc/cacloginconfig.plist and the attribute mapping approach to
use Apple’s PKINIT Authorization Plugin.</font></div>
<div><font face="Calibri,sans-serif">Alternatively</font><font face="Calibri,sans-serif"> you could build your own Authorization Plugin that either calls kinit or uses GSSAPI to generate a TGT while still using the </font><font face="Calibri,sans-serif">PubKeyHash approach...</font></div>
<div><font face="Calibri,sans-serif"><br>
</font></div>
<div><a href="https://manuals.info.apple.com/en_US/Smart_Card_Setup_Guide.pdf">https://manuals.info.apple.com/en_US/Smart_Card_Setup_Guide.pdf</a></div>
<div><br>
</div>
<div style="color: rgb(0, 0, 0); font-family: Calibri, sans-serif; font-size: 14px;">
<div>
<div id="MAC_OUTLOOK_SIGNATURE">
<div>
<div>
<div class="">
<div class="" style="direction: ltr; font-family: Tahoma; font-size: 10pt;">
<div class="">
<div class="">
<div class="">
<div class="">Tom Burgin [C]</div>
<div class="">Mac Support Engineer</div>
<div class="">(301) 443-3904</div>
<div class="">NIMH | IRTMB</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<div style="color: rgb(0, 0, 0); font-family: Calibri, sans-serif; font-size: 14px;">
<br>
</div>
<span id="OLK_SRC_BODY_SECTION" style="color: rgb(0, 0, 0); font-family: Calibri, sans-serif; font-size: 14px;">
<div style="font-family:Calibri; font-size:12pt; text-align:left; color:black; BORDER-BOTTOM: medium none; BORDER-LEFT: medium none; PADDING-BOTTOM: 0in; PADDING-LEFT: 0in; PADDING-RIGHT: 0in; BORDER-TOP: #b5c4df 1pt solid; BORDER-RIGHT: medium none; PADDING-TOP: 3pt">
<span style="font-weight:bold">From: </span>Glenn Machin<br>
<span style="font-weight:bold">Date: </span>Monday, August 31, 2015 at 7:31 AM<br>
<span style="font-weight:bold">To: </span>"Burgin, Thomas (NIH/NIMH) [C]"<br>
<span style="font-weight:bold">Cc: </span>"<a href="mailto:smartcardservices-users@lists.macosforge.org">smartcardservices-users@lists.macosforge.org</a>"<br>
<span style="font-weight:bold">Subject: </span>Re: [EXTERNAL] Re: [SmartcardServices-Users] Pkinit working on MacOSX 10.9.5 or 10.10?<br>
</div>
<div><br>
</div>
<div>
<div bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">What I am looking for is the configuration of the MacOSX client. When I monitor with wireshark the only time I can see a pkinit AS_REQ is using the commandline:<br>
<br>
kinit -C KEYCHAIN:<br>
<br>
But only after I have already unlocked the PIV keychain. <br>
<br>
The MacOSX 10.9.5 or 10.10 systems have an /etc/krb5.conf that has the following pkinit configuration, under the realms stanza for both an MIT KDC and Windows KDC who are enabled for pkinit. Note you don't need the "krbtgt/realm@realm" in the KDC cert SAN if
you set pkinit_require_krbtgt_otherName to false:<br>
<br>
pkinit_identities = KEYCHAIN:<br>
pkinit_anchors=<a class="moz-txt-link-freetext" href="FILE:/usr/local/kerberos/config/etc/pkinit/certificates/trusted-ca">FILE:/usr/local/kerberos/config/etc/pkinit/certificates/trusted-ca</a><br>
pkinit_require_crl_checking = false<br>
pkinit_kdc_hostname = Hostname_of_KDC<br>
pkinit_cert_match = &&<EKU>msScLogin,<KU>digitalSignature<br>
pkinit_cert_match = <SAN><a href="mailto:.*@FEDIDCARD.GOV">.*@FEDIDCARD.GOV</a><br>
pkinit_require_krbtgt_otherName = false<br>
<br>
The problem is I never see pam_opendirectory or pam_krb5 make a Kerberos authentication call (AS_REQ) using the PKINIT preauth data (image below).<br>
<br>
After installing the smartcard services and doing the steps below, I can use the PIV for login and for screenlock, but no Kerberos calls take place.<br>
<ul>
<li>security authorizationdb smartcard enable </li><li>Insert smartcard for USER </li><li>sc_auth accept -u USER –k PIV </li></ul>
An Apple document talked about configuring /etc/cacloginconfig.plist, which I did, but no change.<br>
<br>
So I am curious if anyone has it working outside of using the kinit commandline?<br>
<br>
Thanks<br>
<br>
Glenn<br>
<br>
<br>
<br>
Kerberos AS_REQ using pkinit preauth data (padata):<br>
<br>
<img alt="" src="cid:part1.04020208.00010504@sandia.gov" width="618" height="253"><br>
<br>
<br>
<br>
On 8/30/15 9:12 PM, Burgin, Thomas (NIH/NIMH) [C] wrote:<br>
</div>
<blockquote cite="mid:246A55C6-BB4F-49F7-A908-8E3ED6EDF185@nih.gov" type="cite">
<pre wrap="">I have had success with PK-INIT using a Windows KDC after building a proper SAN for the KDC cert. I am using attribute matching for SmartCard login.
<a class="moz-txt-link-freetext" href="https://github.com/tburgin/SANBuilder">https://github.com/tburgin/SANBuilder</a>
I have not tried with an Open Directory server...
Sent from my iPhone
</pre>
<blockquote type="cite">
<pre wrap="">On Aug 30, 2015, at 9:22 PM, Glenn Machin <a class="moz-txt-link-rfc2396E" href="mailto:gmachin@sandia.gov"><gmachin@sandia.gov></a> wrote:
The only way I can see a Kerberos AS_REQ using PKINIT is using the command line "kinit -C KEYCHAIN:".
Has anyone got PKINIT working via OpenDirectory during login or via pam modules (pam_opendirectory or pam_krb5)?
Shame I don't see Apple publishing documents describing how to enable pkinit given federal government requirements for use of smartcards.
Seems like its the users helping users, while Apple keeps quiet.
Appreciate any help.
Glenn
_______________________________________________
SmartcardServices-Users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:SmartcardServices-Users@lists.macosforge.org">SmartcardServices-Users@lists.macosforge.org</a><a class="moz-txt-link-freetext" href="https://lists.macosforge.org/mailman/listinfo/smartcardservices-users">https://lists.macosforge.org/mailman/listinfo/smartcardservices-users</a></pre>
</blockquote>
</blockquote>
<br>
</div>
</div>
</span>
</body>
</html>