[29008] in Kerberos
Re: Authenticating on kerberos via certifates
daemon@ATHENA.MIT.EDU (Douglas E. Engert)
Thu Jan 10 10:07:50 2008
Message-ID: <47863486.1030308@anl.gov>
Date: Thu, 10 Jan 2008 09:06:46 -0600
From: "Douglas E. Engert" <deengert@anl.gov>
MIME-Version: 1.0
To: Andrea <acirulli@gmail.com>
In-Reply-To: <6015d0d7-3be6-46be-8500-c648e7a1e5e5@i7g2000prf.googlegroups.com>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Andrea wrote:
> Hi all,
> I'm facing with this problem:
>
> I have a working authentication configure system that uses Kerberos
> for authentication. The credentials that have to be passed in order to
> obtain a TGT are username and password. Now I'm looking for some hint
> on how to authenticate on kerberos through certificates like X.509.
>
> This is what I want:
>
> Let's assume that an user has a valid certificate created by a CA. The
> user can authenticate himself without prompting any user/pwd but just
> having the certificate. According to you is it possible to construct
> an intermediate layer between the user and kerberos which maps the
> certificates in credentials allowing Kerberos to authenticate the user
> himself.
Yes, that is called PKINIT, Heimdal and MIT have just introduced this
late last year. Windows has also supported this since W2000, as smart
card login. All three have clients and KDCs, and can intreroperate.
On Unix for login at the console you will also need a pam_krb5 like
http://www.eyrie.org/~eagle/software/pam-krb5/
Usually the certificate and private key are on a smartcard. So also see
http://www.opensc-project.org/
>
> Thanks in advance,
> Andrea
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
