Smart Cards in Java Kerberos
Henry B. Hotz
hbhotz at lavenderwine.com
Tue Jun 25 23:29:34 UTC 2013
I'm not authoritative, but AFAIK there is no smart card support in Java, though there is pkcs11 support.
If I had to do it, I would do the smart card/PKINIT stuff outside Java, and then let Java use the acquired tgt.
On Jun 25, 2013, at 5:52 AM, Ostap Andrusiv <pifostap at gmail.com> wrote:
> Hi everyone,
>
> I've been playing with smart cards and faced some issues.
> Long story short:
>
> Prerequisites:
>
> • I set up a basic Kerberos realm via Windows Active Directory.
> • I managed to successfully login into service via login/password pair using Java Kerberos(Krb5LoginModule), which is provided via JAAS.
> Now I try to implement Kerberos login via smart card. Smart card preauthentication in Kerberos is done via AS-REQ/AS-REP messages (PA-PK-AS-REQ/P extensions). Unfortunately, JAAS Kerberos hasn't used the smartcard. As far as I have seen, there were no PA-PK-AS-REQ/P extensions in openjdk sources. Maybe, I missed something.
>
> Question:
>
> 1. Does Java Kerberos support smart card preauthentication out of the box?
>
> 2. If it doesn't, can I somehow extends existing Kerberos module or should I implement whole Kerberos from the ground up?
>
>
>
> Thanks in advance,
> Ostap Andrusiv
>
>
> web: http://andrusiv.com
> skype: ostap.andrusiv
> ::p!F
More information about the security-dev
mailing list