Smart Cards in Java Kerberos
Henry B. Hotz
hbhotz at lavenderwine.com
Wed Jun 26 05:43:22 UTC 2013
Even easier. Just set useTicketCache=true in the JAAS config.
On Jun 25, 2013, at 5:37 PM, Weijun Wang <weijun.wang at oracle.com> wrote:
> Java (at least Oracle JDK) does not support PKINIT.
>
> Yes, you can do it outside, create a KerberosTicket and a KerberosPrincipal, create a JAAS Subject containing them, and call Subject.doAs() later. It should work.
>
> On Windows, if you manage to use Windows' own login and have the ticket stored inside LSA, Java should be able to read it. There is a registry key allowtgtsessionkey you need to take care of. Or maybe you can use any third party kinit to save a ccache file which can also be picked up by Java.
>
> --Max
>
> On 6/26/13 7:29 AM, Henry B. Hotz wrote:
>> I'm not authoritative, but AFAIK there is no smart card support in Java, though there is pkcs11 support.
>>
>> If I had to do it, I would do the smart card/PKINIT stuff outside Java, and then let Java use the acquired tgt.
>>
>> On Jun 25, 2013, at 5:52 AM, Ostap Andrusiv <pifostap at gmail.com> wrote:
>>
>>> Hi everyone,
>>>
>>> I've been playing with smart cards and faced some issues.
>>> Long story short:
>>>
>>> Prerequisites:
>>>
>>> • I set up a basic Kerberos realm via Windows Active Directory.
>>> • I managed to successfully login into service via login/password pair using Java Kerberos(Krb5LoginModule), which is provided via JAAS.
>>> Now I try to implement Kerberos login via smart card. Smart card preauthentication in Kerberos is done via AS-REQ/AS-REP messages (PA-PK-AS-REQ/P extensions). Unfortunately, JAAS Kerberos hasn't used the smartcard. As far as I have seen, there were no PA-PK-AS-REQ/P extensions in openjdk sources. Maybe, I missed something.
>>>
>>> Question:
>>>
>>> 1. Does Java Kerberos support smart card preauthentication out of the box?
>>>
>>> 2. If it doesn't, can I somehow extends existing Kerberos module or should I implement whole Kerberos from the ground up?
>>>
>>>
>>>
>>> Thanks in advance,
>>> Ostap Andrusiv
>>>
>>>
>>> web: http://andrusiv.com
>>> skype: ostap.andrusiv
>>> ::p!F
>>
More information about the security-dev
mailing list