Smart Cards in Java Kerberos
Weijun Wang
weijun.wang at oracle.com
Mon Jul 1 09:01:28 UTC 2013
On 7/1/13 4:50 PM, Ostap Andrusiv wrote:
> Thanks everyone for the responses.
> I can't use allowtgtsessionkey on Windows, because I want to achieve a
> cross-platform solution.
Allowtgtsessionkey (Google it) is a windows registry key you need to
configure, which means you cannot simply deploy your app on a Windows
box and it automatically works. Expect for this, I don't think the
solution is not cross-platform.
>
> I'll look into the option, provided by Weijun Wang and create
> KerberosTicket/KerberosPrincipal. I hope it would do the job.
You need to get the ticket anyway. Either from an existing one (possibly
thru the login process) or get it yourself (thru a kinit command that
understands PKINIT). After that, as Henry said, "Just set
useTicketCache=true in the JAAS config".
Best luck.
--Weijun
>
>
> 2013/6/26 Henry B. Hotz <hbhotz at lavenderwine.com
> <mailto:hbhotz at lavenderwine.com>>
>
> Even easier. Just set useTicketCache=true in the JAAS config.
>
> On Jun 25, 2013, at 5:37 PM, Weijun Wang <weijun.wang at oracle.com
> <mailto:weijun.wang at oracle.com>> wrote:
>
> > Java (at least Oracle JDK) does not support PKINIT.
> >
> > Yes, you can do it outside, create a KerberosTicket and a
> KerberosPrincipal, create a JAAS Subject containing them, and call
> Subject.doAs() later. It should work.
> >
> > On Windows, if you manage to use Windows' own login and have the
> ticket stored inside LSA, Java should be able to read it. There is a
> registry key allowtgtsessionkey you need to take care of. Or maybe
> you can use any third party kinit to save a ccache file which can
> also be picked up by Java.
> >
> > --Max
> >
> > On 6/26/13 7:29 AM, Henry B. Hotz wrote:
> >> I'm not authoritative, but AFAIK there is no smart card support
> in Java, though there is pkcs11 support.
> >>
> >> If I had to do it, I would do the smart card/PKINIT stuff
> outside Java, and then let Java use the acquired tgt.
> >>
> >> On Jun 25, 2013, at 5:52 AM, Ostap Andrusiv <pifostap at gmail.com
> <mailto:pifostap at gmail.com>> wrote:
> >>
> >>> Hi everyone,
> >>>
> >>> I've been playing with smart cards and faced some issues.
> >>> Long story short:
> >>>
> >>> Prerequisites:
> >>>
> >>> • I set up a basic Kerberos realm via Windows Active Directory.
> >>> • I managed to successfully login into service via
> login/password pair using Java Kerberos(Krb5LoginModule), which is
> provided via JAAS.
> >>> Now I try to implement Kerberos login via smart card. Smart
> card preauthentication in Kerberos is done via AS-REQ/AS-REP
> messages (PA-PK-AS-REQ/P extensions). Unfortunately, JAAS Kerberos
> hasn't used the smartcard. As far as I have seen, there were no
> PA-PK-AS-REQ/P extensions in openjdk sources. Maybe, I missed something.
> >>>
> >>> Question:
> >>>
> >>> 1. Does Java Kerberos support smart card preauthentication out
> of the box?
> >>>
> >>> 2. If it doesn't, can I somehow extends existing Kerberos
> module or should I implement whole Kerberos from the ground up?
> >>>
> >>>
> >>>
> >>> Thanks in advance,
> >>> Ostap Andrusiv
> >>>
> >>>
> >>> web: http://andrusiv.com
> >>> skype: ostap.andrusiv
> >>> ::p!F
> >>
>
>
>
>
> --
> Best regards,
> Ostap Andrusiv
>
> web: http://andrusiv.com
> skype: ostap.andrusiv
> ::p!F
More information about the security-dev
mailing list