Add text about pk-init

git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@17175 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
Love Hörnquist Åstrand
2006-04-23 19:52:14 +00:00
parent 773d0714a2
commit 65a0dee37e

View File

@@ -28,6 +28,7 @@ doing so. It will make life easier for you and everyone else.
* Setting up DNS::
* Using LDAP to store the database::
* Providing Kerberos credentials to servers and programs::
* Setting up PK-INIT::
@end menu
@node Configuration file, Creating the database, Setting up a realm, Setting up a realm
@@ -986,7 +987,7 @@ Now you can proceed as in @xref{Using LDAP to store the database}.
Heimdal will pick up the Samba LDAP entries if they are in the same
search space as the Kerberos entries.
@node Providing Kerberos credentials to servers and programs, , Using LDAP to store the database, Setting up a realm
@node Providing Kerberos credentials to servers and programs, Setting up PK-INIT, Using LDAP to store the database, Setting up a realm
@section Providing Kerberos credentials to servers and programs
Some services require Kerberos credentials when they start to make
@@ -1032,3 +1033,223 @@ service@@host$ kinit --cache=/var/run/service_krb5_cache \
script-to-start-service argument1 argument2
@end example
@node Setting up PK-INIT, , Providing Kerberos credentials to servers and programs, Setting up a realm
@section Setting up PK-INIT
PK-INIT is levering the existing PKI infrastructure to use
certificates to get the initial ticket, that is usually the krbtgt.
To use PK-INIT you must first have a PKI, so if you don't have one,
now its time to create it. Note that you should read the whole chapter
of the document to see the requirements on the CA sortware.
There needs to exist a mapping between the certificate and what
principals that certificate is allowed to use. There are several ways
to do this. The administrator can use a configuration file, storing
the principal in SubjectAltName in extensions of certificate, or store
the mapping in the principals entry in the kerberos database.
@section Certificates
This section document the requirements on the KDC and client
certificates and the format used in the id-pkinit-san OtherName
extention.
@subsection KDC certificate
The certificate for the KDC have serveral requirements.
First the certificate should have a Extended Key Usage (EKU)
id-pkkdcekuoid (1.3.6.1.5.2.3.5) set. Second there must be a
subjectAltName otherName using oid id-pkinit-san (1.3.6.1.5.2.2) in
the type field and and DER encoded KRB5PrincipalName that matches the
name of the TGS of the target realm.
Both of these two requirements are not required by the standard to be
checked by the client if it have external information what the
certificate the KDC is supposed to be used. So its in the interst of
minium amount of configuration on the clients they should be included.
Remember that if client would accept any certificate as the KDC's
certificate, the client could be fooled into trusting something that
isn't a KDC and thus expose the user to giving away information (like
password or other private information) that it is supposed to secret.
Also, if the extension certificate have a nameConstraints extention
with a Generalname with dNSName or iPAdress it must match the hostname
or adress of the KDC.
@subsection Client certificate
The client certificate may need to have a EKU id-pkekuoid
(1.3.6.1.5.2.3.4) depending on set on the certifiate on the KDC.
It possible to store the principal (if allowed by the KDC) in the
certificate and thus delegate responsibility to do the mapping between
certificates and principals to the CA.
@subsubsection Using KRB5PrincipalName in id-pkinit-san
OtherName extenetion in the GeneralName is used is used to do the
mapping between certifiate and principal in the certifiate or storing
the krbtgt principal in the KDC certificate.
The principal is stored in a SubjectAltName in the certificate using
OtherName. The oid in the type is id-pkinit-san.
@example
id-pkinit-san OBJECT IDENTIFIER ::= @{ iso (1) org (3) dod (6)
internet (1) security (5) kerberosv5 (2) 2 @}
@end example
In the data part of the OtherName is filled with the following DER
encoded ASN.1 structure:
@example
KRB5PrincipalName ::= SEQUENCE @{
realm [0] Realm,
principalName [1] PrincipalName
@}
@end example
where Realm and PrincipalName is defined by Kerberos ASN.1 specification.
@section Naming certificate using hx509
hx509 is the X.509 software used in Heimdal to handle
certificates. hx509 use diffrent syntaxs to specify the diffrent
format the certificate is stored and in what format they exist in.
There are several format that can be used, PEM, embeded into PKCS12
files, embeded into PKCS11 devices and raw DER encoded certificates.
Below is a list of types to use.
@table @asis
@item DIR:
@c Create a directory where all the trusted anchors are stored
@c ca-trusted-anchors and copy all certificate you are going to trust as
@c anchors into that directory. Make sure there are no other files then
@c trust anchors in that directory, if there are, it will not work. In
@c the krb5.conf, this is refear to as DIR:/dir
Syntax is:
@example
DIR:/path/to/der/files
@end example
@item FILE:
FILE: is used to have the lib pick up a certificate chain and a
private key.
Syntax is:
@example
FILE:certificate-file.pem,private-key-file.key,other-cert.pem,....
@end example
@item PKCS11:
PKCS11: is used handle smartcards via PKCS11 drivers
(soft-token,opensc,muscle) files.
Syntax is:
@example
PKCS11:shared-object.so:slot=<num>:otherattribute=<value>
@end example
@item PKCS12:
PKCS12: is used handle PKCS12 (.pfx/.p12) files.
Syntax is:
@example
PKCS12:/path/to/file.pfx
@end example
@end table
@section Configuring the kerberos software
Add configuration options to krb5.conf
kinit
kdc
@section Configuring the client
@example
[appdefaults]
pkinit-anchors = DIR:/dir-to-client-trusted-ca-hashes
@end example
@section Configuring the KDC
@example
[kdc]
enable-pkinit = yes
pki-identity = FILE:/secure/kdc.crt,/secure/kdc.key
pki-anchors = FILE:/path/to/trust-anchors.pem
pki-pool = PKCS12:/path/to/useful-intermediate-certs.pfx
pki-pool = FILE:/path/to/other-useful-intermediate-certs.pem
@end example
@subsection Using pki-mapping file
@subsection Using Kerberos database
@section Use OpenSSL to create certificates
@subsection Using OpenSSL to create certificate with krb5PrincipalName
To make OpenSSL create certificate with krb5PrincipalName use the following
@file{openssl.cnf}.
@example
[user_certificate]
subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:princ_name
[princ_name]
realm = EXP:0, GeneralString:MY.REALM
principal_name = EXP:1, SEQUENCE:principal_seq
[principal_seq]
name_type = EXP:0, INTEGER:1
name_string = EXP:1, SEQUENCE:principals
[principals]
princ1 = GeneralString:userid
@end example
Command usage
@example
openssl x509 -extensions user_certificate
@end example
@c --- ms certificate
@c
@c [ new_oids ]
@c msCertificateTemplateName = 1.3.6.1.4.1.311.20.2
@c
@c
@c [ req_smartcard ]
@c keyUsage = digitalSignature, keyEncipherment
@c extendedKeyUsage = msSmartcardLogin, clientAuth
@c msCertificateTemplateName = ASN1:BMP:SmartcardLogon
@c subjectAltName = otherName:msUPN;UTF8:lukeh@dsg.padl.com
@c #subjectAltName = email:copy