Smart Cards in Java Kerberos

Ostap Andrusiv pifostap at gmail.com
Mon Jul 1 08:50:57 UTC 2013 

Thanks everyone for the responses.
I can't use allowtgtsessionkey on Windows, because I want to achieve a
cross-platform solution.

I'll look into the option, provided by Weijun Wang and create
KerberosTicket/KerberosPrincipal. I hope it would do the job.


2013/6/26 Henry B. Hotz <hbhotz at lavenderwine.com>

> Even easier.  Just set useTicketCache=true in the JAAS config.
>
> On Jun 25, 2013, at 5:37 PM, Weijun Wang <weijun.wang at oracle.com> wrote:
>
> > Java (at least Oracle JDK) does not support PKINIT.
> >
> > Yes, you can do it outside, create a KerberosTicket and a
> KerberosPrincipal, create a JAAS Subject containing them, and call
> Subject.doAs() later. It should work.
> >
> > On Windows, if you manage to use Windows' own login and have the ticket
> stored inside LSA, Java should be able to read it. There is a registry key
> allowtgtsessionkey you need to take care of. Or maybe you can use any third
> party kinit to save a ccache file which can also be picked up by Java.
> >
> > --Max
> >
> > On 6/26/13 7:29 AM, Henry B. Hotz wrote:
> >> I'm not authoritative, but AFAIK there is no smart card support in
> Java, though there is pkcs11 support.
> >>
> >> If I had to do it, I would do the smart card/PKINIT stuff outside Java,
> and then let Java use the acquired tgt.
> >>
> >> On Jun 25, 2013, at 5:52 AM, Ostap Andrusiv <pifostap at gmail.com> wrote:
> >>
> >>> Hi everyone,
> >>>
> >>> I've been playing with smart cards and faced some issues.
> >>> Long story short:
> >>>
> >>> Prerequisites:
> >>>
> >>>     • I set up a basic Kerberos realm via Windows Active Directory.
> >>>     • I managed to successfully login into service via login/password
> pair using Java Kerberos(Krb5LoginModule), which is provided via JAAS.
> >>> Now I try to implement Kerberos login via smart card. Smart card
> preauthentication in Kerberos is done via AS-REQ/AS-REP messages
> (PA-PK-AS-REQ/P extensions). Unfortunately, JAAS Kerberos hasn't used the
> smartcard. As far as I have seen, there were no PA-PK-AS-REQ/P extensions
> in openjdk sources. Maybe, I missed something.
> >>>
> >>> Question:
> >>>
> >>> 1. Does Java Kerberos support smart card preauthentication out of the
> box?
> >>>
> >>> 2. If it doesn't, can I somehow extends existing Kerberos module or
> should I implement whole Kerberos from the ground up?
> >>>
> >>>
> >>>
> >>> Thanks in advance,
> >>> Ostap Andrusiv
> >>>
> >>>
> >>> web: http://andrusiv.com
> >>> skype: ostap.andrusiv
> >>> ::p!F
> >>
>
>


-- 
Best regards,
Ostap Andrusiv

web: http://andrusiv.com
skype: ostap.andrusiv
::p!F
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20130701/d0723465/attachment.htm>

More information about the security-dev mailing list