Tuesday Oct 20, 2009

Using pktool to to create certificates for Kerberos PKINIT

Wyllys recently fixed a couple of bugs (6889730, 6889224,6887337) in KMF/pktool which means that finally pktool can be used to generate certificates for Kerberos PKINIT on Solaris. Up until now it was necessary to use OpenSSL with an extension file in order to create suitable certificates. pktool has this knowledge baked in!

Initialize keystore. If the softoken keystore hasn't been initialized use "changeme" as the passphrase.

$ pktool setpin
Enter token passphrase:
Create new passphrase:
Re-enter new passphrase:
Passphrase changed.

Generate ca cert.

$ pktool gencert  label=ca subject="CN=ca" serial=0x01

Generate a certificate request for the KDC.

$ pktool gencsr label=kdc outcsr=kdc.csr subject="CN=kdc" \\ 
      altname="KRB=krbtgt/ACME.COM@ACME.COM" \\
      keyusage=nonRepudiation,digitalSignature,keyEncipherment,keyAgreement \\
      eku=KPKdc

Sign the KDC request.

$ pktool signcsr signkey=ca csr=kdc.csr serial=0x02 \\
      outcert=kdc.cert issuer="CN=ca"

Generate a certificate request for the client.

$ pktool gencsr label=client outcsr=client.csr \\
      subject="CN=client" altname="KRB=client@ACME.COM" \\
      keyusage=digitalSignature,keyEncipherment,keyAgreement \\
      eku=KPClientAuth

Sign the client request.

$ pktool signcsr signkey=ca csr=client.csr serial=0x03 \\
      outcert=client.cert issuer="CN=ca"

Extract the certs/keys into files.

$ pktool export objtype=cert outformat=pem label=ca \\
      outfile=ca.cert  
$ pktool export objtype=key outformat=pem label=kdc \\
      outfile=kdc.key
$ pktool export objtype=key outformat=pem label=client \\
      outfile=client.key

For the KDC make sure that /etc/krb5/kdc.conf contains pointers to the certs and keys.

...
[realms]
    ACME.COM = {
        ...
        pkinit_anchors = FILE:/var/tmp/certs/ca.cert
        pkinit_identity = FILE:/var/tmp/certs/kdc.cert,/var/tmp/certs/kdc.key
    }
...

For the client /etc/krb5/krb5.conf can be modified or arguments passed to kinit

kinit -X X509_user_identity=FILE:/var/tmp/certs/client.cert,/var/tmp/certs/client.key -X X509_anchors=FILE:/var/tmp/certs/ca.cert client

Thursday Jan 01, 2009

Enhanced command-line editing support in Kerberos admin tools

Back in November I added enhanced command line editing support to the Kerberos administration tools kadmin(1M), kadmin.local(1M) and ktutil(1M).

When run interactively these commands support a vastly improved interface - things like tab-completion of sub-commands, command-line editing and command history are suddenly available. The tecla library was used to add the enhanced functionality. Other commands using libtecla on Solaris/OpenSolaris are zonecfg(1M), svccfg(1M) and elfedit(1),.

libtecla can be configured by creating a ~/.teclarc file. As I use vi keybindings in my shell it makes sense to have the same keybindings when using libtecla applications. libtecla by default uses emacs keybindings. My ~/.teclarc looks like this:

$ cat ~/.teclarc 
edit-mode vi
$
I'm planning on contributing back the changes to MIT soon.

Thursday Apr 17, 2008

What's new for Kerberos in Solaris 10 5/08

Solaris 10 5/08 was just released and it contains a number of significant enhancements to Kerberos. I've drawn up a list of new features, singling out the ones I think are most significant. Even apart from these new features there were many bug fixes and other minor improvements.

  • Support for Kerberos principal and policy records in LDAP

    Adds support for accessing Kerberos principal and policy records stored on a Directory Server, via LDAP. Storing Kerberos records in LDAP has a number of advantages over the default db2 database such as simplified administration and allowing for multi-master KDC configuration. The KDC now supports a pluggable system for database storage. Both the new LDAP support and the older db2 database storage system are now implemented as plugins. Configuring a KDC with an LDAP database backend is a little different from the older db2 administration. A new utility kdb5_ldap_util and new configuration options are needed. You can find an updated Kerberos administration guide here which covers this new feature.

  • Zero-configuration Kerberos clients

    This is not a single feature per-se but rather a number of relatively minor changes which can obviate the need to explicitly configure Kerberos clients. The following changes were made

    • dns_lookup_kdc is enabled by default
    • The Kerberos realm for a given host (or default realm) is determined heuristically from the DNS domain name of the host ( or local host)
    • krb5.conf has been modified so that it is not mis-configured by default
    • Client-side referral support was added which allows the KDC to inform the client what realm they are in. Microsoft's Active Directory is an example of a KDC which supports this

  • Full resync with MIT 1.4.3 The Kerberos daemons, utilities and libraries are now fully in sync with MIT Kerberos 1.4.3 and contain some features of MIT 1.6. A new utility was introduced - k5srvutil and new options were added to krb5.conf. One particularily useful option is auth_to_local, it allows for a more flexible mapping of principal names to local user names.

Sunday Oct 14, 2007

Kerberos Project on OpenSolaris.org

I've just set-up the new Kerberos project on opensolaris.org.

It's the new home of all things related to Kerberos on opensolaris. The project will be officially launched in the next day or so. Its currently hidden but if you know where to go you can take a peek.

About

mbp

Search

Categories
Archives
« April 2014
MonTueWedThuFriSatSun
 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
    
       
Today