[prev in list] [next in list] [prev in thread] [next in thread]
List: krbdev
Subject: Re: What Should I Push On?
From: "Henry B. Hotz" <hotz () jpl ! nasa ! gov>
Date: 2012-05-23 0:16:45
Message-ID: 9EFD1340-D4CD-40A0-9723-0711A46C22F6 () jpl ! nasa ! gov
[Download RAW message or body]
I won't apologize for starting this thread, since I think the discussions have been \
very useful (if a bit off-topic sometimes). Hope everyone else enjoyed them as much \
as I did.
In the end the only thing I would call an actual bug is that the pkinit client \
plug-in tries to validate the cert on the presented smart card. That's the kdc's \
job, not the client's. Perhaps there's a config option I don't understand which \
disables that? It's not hard to work around.
The distribution's coolkey library seems to work fine (at least on a Scientific Linux \
system). I don't doubt Doug Engert's investigation, but the platform probably has an \
effect. In the SRPM, hunk 14 of coolkey-cac.patch is rejected, but you can figure \
out what it ought to be by looking at the "before" code in a later patch. I'll be \
keeping Doug's patches around in case I run into a problem later.
The output to KRB5_TRACE is insufficient (for me anyway) to debug the configuration \
for the PKINIT plugin. You need (at least some of) the stuff that would be output by \
the pkiDebug() function. Building with CPPFLAGS=-DDEBUG does the job, but requires a \
few minor patches to build. Since the needed patches seem to be the same on SL6 and \
MacOS 10.6, I'll submit those after I send this email.
I've been doing smart-card Kerberos for some time. Now I've got all the i's dotted \
and t's crossed for a no-password realm that doesn't need custom client software on \
the core OSs used in some of our most critical infrastructure.
Thanks guys!
On May 14, 2012, at 6:21 PM, Henry B. Hotz wrote:
> I've been holding off on adding to this thread until I could be more definitive, \
> but here's a progress report:
> First, the immediate cause of the memory allocation error was that I was feeding a \
> .der file instead of .pem file to kerberos as an anchor. Since that's documented, \
> it qualifies as a user error.
> Second, getting the "no anchors in file" error to print requires building a version \
> with -DDEBUG, not merely setting KRB5_TRACE. Doing that build (at least on MacOS \
> 10.6) required 4-5 minor patches.
> Third, "retrying with TCP" did not work (with a Heimdal 1.2 server anyway). \
> Forcing TCP to begin with was sufficient to get MIT kinit to work with a file-based \
> X.509 credential. This may not be MITs fault since Heimdal kinit degrades severely \
> with UDP when scaling up the load to multiple client machines with multiple \
> clients/machine. Messages larger than a single UDP packet are probably a \
> contributing factor, but I have not verified this. Since forcing TCP might be a \
> good idea anyway, it will be a while before I get back to this issue.
> So, like I said, that gets things working with a file-based credential.
>
> Fourth, as Doug said, there are multiple coolkey-1.1.0-19.el6.src.rpm's out there. \
> After some hunting, the one he posted the patch for is:
> http://koji.thewebwillow.com/kojifiles/packages/coolkey/1.1.0/19.el6/src/coolkey-1.1.0-19.el6.src.rpm
>
> The MD5 matches. It contains a "coolkey-piv.patch" file. And the source file he's \
> patching actually matches up with his diff after you apply all the patches in the \
> SRPM. However I don't think this is a real "el6" SRPM. As rank speculation, it \
> might be based off of the coolkey fork on software.forge.mil. I don't have access \
> to that, and I don't know if I can get it either.
> I will definitely be trying out that SRPM (and Doug's patch) as soon as I get a few \
> other fires put out.
> On May 14, 2012, at 1:31 PM, Dmitri Pal wrote:
>
> > On 05/05/2012 01:58 PM, Henry B. Hotz wrote:
> > > Thanks for the info. I may have issues to deal with after this one. *sigh*
> > >
> > > Since the specific problem shows with a PKCS12 credential as well, I'm thinking \
> > > I should get a real RedHat 6.2 instance to test with first.
> >
> > Is there any way to get these cards to Red Hat for us to be able test
> > this issue?
> > If this is an option please contact me off list.
>
> I already responded to Nathan Kinder off-list with a possible NASA contact. NASA \
> PIV cards are issued under a NASA CA which is under the US Treasury CA. I know in \
> the past they have provided test cards to Apple. I don't think it was easy to make \
> that happen, but seems in theory it ought to be possible for RedHat as well. Not \
> my department, unfortunately.
------------------------------------------------------
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic