[prev in list] [next in list] [prev in thread] [next in thread] 

List:       krbdev
Subject:    Re: What Should I Push On?
From:       "Henry B. Hotz" <hotz () jpl ! nasa ! gov>
Date:       2012-05-23 0:16:45
Message-ID: 9EFD1340-D4CD-40A0-9723-0711A46C22F6 () jpl ! nasa ! gov
[Download RAW message or body]

I won't apologize for starting this thread, since I think the discussions have been \
very useful (if a bit off-topic sometimes).  Hope everyone else enjoyed them as much \
as I did.

In the end the only thing I would call an actual bug is that the pkinit client \
plug-in tries to validate the cert on the presented smart card.  That's the kdc's \
job, not the client's.  Perhaps there's a config option I don't understand which \
disables that?  It's not hard to work around.

The distribution's coolkey library seems to work fine (at least on a Scientific Linux \
system).  I don't doubt Doug Engert's investigation, but the platform probably has an \
effect.  In the SRPM, hunk 14 of coolkey-cac.patch is rejected, but you can figure \
out what it ought to be by looking at the "before" code in a later patch.  I'll be \
keeping Doug's patches around in case I run into a problem later.

The output to KRB5_TRACE is insufficient (for me anyway) to debug the configuration \
for the PKINIT plugin.  You need (at least some of) the stuff that would be output by \
the pkiDebug() function.  Building with CPPFLAGS=-DDEBUG does the job, but requires a \
few minor patches to build.  Since the needed patches seem to be the same on SL6 and \
MacOS 10.6, I'll submit those after I send this email.

I've been doing smart-card Kerberos for some time.  Now I've got all the i's dotted \
and t's crossed for a no-password realm that doesn't need custom client software on \
the core OSs used in some of our most critical infrastructure.  

Thanks guys!

On May 14, 2012, at 6:21 PM, Henry B. Hotz wrote:

> I've been holding off on adding to this thread until I could be more definitive, \
> but here's a progress report: 
> First, the immediate cause of the memory allocation error was that I was feeding a \
> .der file instead of .pem file to kerberos as an anchor.  Since that's documented, \
> it qualifies as a user error. 
> Second, getting the "no anchors in file" error to print requires building a version \
> with -DDEBUG, not merely setting KRB5_TRACE.  Doing that build (at least on MacOS \
> 10.6) required 4-5 minor patches. 
> Third, "retrying with TCP" did not work (with a Heimdal 1.2 server anyway).  \
> Forcing TCP to begin with was sufficient to get MIT kinit to work with a file-based \
> X.509 credential.  This may not be MITs fault since Heimdal kinit degrades severely \
> with UDP when scaling up the load to multiple client machines with multiple \
> clients/machine.  Messages larger than a single UDP packet are probably a \
> contributing factor, but I have not verified this.  Since forcing TCP might be a \
> good idea anyway, it will be a while before I get back to this issue. 
> So, like I said, that gets things working with a file-based credential.
> 
> Fourth, as Doug said, there are multiple coolkey-1.1.0-19.el6.src.rpm's out there.  \
> After some hunting, the one he posted the patch for is: 
> http://koji.thewebwillow.com/kojifiles/packages/coolkey/1.1.0/19.el6/src/coolkey-1.1.0-19.el6.src.rpm
>  
> The MD5 matches.  It contains a "coolkey-piv.patch" file.  And the source file he's \
> patching actually matches up with his diff after you apply all the patches in the \
> SRPM.  However I don't think this is a real "el6" SRPM.  As rank speculation, it \
> might be based off of the coolkey fork on software.forge.mil.  I don't have access \
> to that, and I don't know if I can get it either. 
> I will definitely be trying out that SRPM (and Doug's patch) as soon as I get a few \
> other fires put out. 
> On May 14, 2012, at 1:31 PM, Dmitri Pal wrote:
> 
> > On 05/05/2012 01:58 PM, Henry B. Hotz wrote:
> > > Thanks for the info.  I may have issues to deal with after this one.  *sigh*
> > > 
> > > Since the specific problem shows with a PKCS12 credential as well, I'm thinking \
> > > I should get a real RedHat 6.2 instance to test with first. 
> > 
> > Is there any way to get these cards to Red Hat for us to be able test
> > this issue?
> > If this is an option please contact me off list.
> 
> I already responded to Nathan Kinder off-list with a possible NASA contact.  NASA \
> PIV cards are issued under a NASA CA which is under the US Treasury CA.  I know in \
> the past they have provided test cards to Apple.  I don't think it was easy to make \
> that happen, but seems in theory it ought to be possible for RedHat as well.  Not \
> my department, unfortunately.

------------------------------------------------------
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu


_______________________________________________
krbdev mailing list             krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev


[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic