Kerberos PKINIT - 未找到匹配条目 preauth (pkinit) 验证失败:证书不匹配
Kerberos PKINIT - No matching entry found preauth (pkinit) verify failure: Certificate mismatch
我已经安装了包含 Kerberos 的 FreeIPA 主服务器。此外,我有一台注册了 FreeIPA 的客户端服务器,用于测试 Kerberos 的 PKINIT 功能。 CentOS7 上的所有服务器 运行。
当在 kadmin 中使用 list_principals 作为 testuser@REALMNAME 时,FreeIPA 中存在一个测试用户,并且该用户也列在唯一的现有领域中。
getprinc testuser 也给出 Attributes: REQUIRES_PRE_AUTH.
我严格按照文档创建了 kdc 和客户端证书:https://web.mit.edu/kerberos/www/krb5-latest/doc/admin/pkinit.html。它们已由我自己的 CA 签名,其证书也存在于客户端和主服务器上。
master上的[realm]配置如下:
[realms]
TEST.INTERN = {
kdc = XXX:88
master_kdc = XXX:88
admin_server = XXX:749
default_domain = test.intern
pkinit_anchors = FILE:/etc/krb/ca.pem
pkinit_identity = FILE:/etc/krb/kdc.pem,/etc/krb/kdckey.pem
allow_pkinit = yes
module = pkinit:/usr/lib64/krb5/plugins/preauth/pkinit.so
}
XXX 是主服务器 FQDN。此外,客户端配置如下:
[realms]
TEST.INTERN = {
kdc = XXX:88
master_kdc = XXX:88
admin_server = XXX:749
kpasswd_server = XXX:464
default_domain = test.intern
pkinit_anchors = FILE:/etc/krb/ca.pem
pkinit_identities = FILE:/etc/krb/client.pem,/etc/krb/clientkey.pem
}
AFAIK 我应该能够在客户端上执行 kinit testuser 以获得 Kerberos 票证而无需输入密码。
不幸的是,执行 env KRB5_TRACE=/dev/stdout kinit -V testuser 会产生:
[2988] 1614772826.172614: Getting initial credentials for testuser@TEST.INTERN
[2988] 1614772826.172616: Sending unauthenticated request
[2988] 1614772826.172617: Sending request (170 bytes) to TEST.INTERN
[2988] 1614772826.172618: Resolving hostname XXX
[2988] 1614772826.172619: Initiating TCP connection to stream XXX_IP:88
[2988] 1614772826.172620: Sending TCP request to stream XXX_IP:88
[2988] 1614772826.172621: Received answer (298 bytes) from stream XXX_IP:88
[2988] 1614772826.172622: Terminating TCP connection to stream XXX_IP:88
[2988] 1614772826.172623: Response was from master KDC
[2988] 1614772826.172624: Received error from KDC: -1765328359/Additional pre-authentication required
[2988] 1614772826.172627: Preauthenticating using KDC method data
[2988] 1614772826.172628: Processing preauth types: PA-PK-AS-REQ (16), PA-PK-AS-REP_OLD (15), PA-PK-AS-REQ_OLD (14), PA-FX-FAST (136), PA-ETYPE-INFO2 (19), PA-PKINIT-KX (147), PA-ENC-TIMESTAMP (2), PA-FX-C
OKIE (133)
[2988] 1614772826.172629: Selected etype info: etype aes256-cts, salt ""@0.X)+A92ZBJ*5T", params ""
[2988] 1614772826.172630: Received cookie: MIT
[2988] 1614772826.172631: Preauth module pkinit (147) (info) returned: 0/Success
[2988] 1614772826.172632: PKINIT loading CA certs and CRLs from FILE
[2988] 1614772826.172633: PKINIT client computed kdc-req-body checksum 9/80ADD1F631A328C4895D0B822F96608C303E6743
[2988] 1614772826.172635: PKINIT client making DH request
[2988] 1614772826.172636: Preauth module pkinit (16) (real) returned: 0/Success
[2988] 1614772826.172637: Produced preauth for next request: PA-FX-COOKIE (133), PA-PK-AS-REQ (16)
[2988] 1614772826.172638: Sending request (3475 bytes) to TEST.INTERN
[2988] 1614772826.172639: Resolving hostname XXX
[2988] 1614772826.172640: Initiating TCP connection to stream XXX_IP:88
[2988] 1614772826.172641: Sending TCP request to stream XXX_IP:88
[2988] 1614772826.172642: Received answer (167 bytes) from stream XXX_IP:88
[2988] 1614772826.172643: Terminating TCP connection to stream XXX_IP:88
[2988] 1614772826.172644: Response was from master KDC
[2988] 1614772826.172645: Received error from KDC: -1765328318/Certificate mismatch
kinit: Certificate mismatch while getting initial credentials
主服务器确认了这一点。 /var/log/krb5kdc.log 产生:
Mar 03 13:01:10 XXX krb5kdc[80746](info): Doing certauth authorize for [testuser@TEST.INTERN]
Mar 03 13:01:10 XXX krb5kdc[80746](info): Got cert filter [(userCertificate;binary=...
Mar 03 13:01:10 XXX krb5kdc[80746](info): No matching entry found
Mar 03 13:01:10 XXX krb5kdc[80746](info): preauth (pkinit) verify failure: Certificate mismatch
至此,我真的不知道为什么会出现这种故障。证书已严格按照上面链接的文档创建。
使用 openssl asn1parse -in certificate.pem -strparse OFFSET 检查证书时,根据相应的偏移量,我得到 SubjectAltName,其他名称部分:
openssl asn1parse -dump -in ../client/client.pem -strparse 815
0:d=0 hl=2 l= 48 cons: SEQUENCE
2:d=1 hl=2 l= 46 cons: cont [ 0 ]
4:d=2 hl=2 l= 6 prim: OBJECT :1.3.6.1.5.2.2
12:d=2 hl=2 l= 36 cons: cont [ 0 ]
14:d=3 hl=2 l= 34 cons: SEQUENCE
16:d=4 hl=2 l= 13 cons: cont [ 0 ]
18:d=5 hl=2 l= 11 prim: GENERALSTRING
0000 - 54 45 53 54 2e 49 4e 54-45 52 4e TEST.INTERN
31:d=4 hl=2 l= 17 cons: cont [ 1 ]
33:d=5 hl=2 l= 15 cons: SEQUENCE
35:d=6 hl=2 l= 3 cons: cont [ 0 ]
37:d=7 hl=2 l= 1 prim: INTEGER :01
40:d=6 hl=2 l= 8 cons: cont [ 1 ]
42:d=7 hl=2 l= 6 cons: SEQUENCE
44:d=8 hl=2 l= 4 prim: GENERALSTRING
0000 - 74 65 73 74 75 73 65 72 testuser
用于客户端证书和
openssl asn1parse -dump -in kdc.pem -strparse 832
0:d=0 hl=2 l= 63 cons: SEQUENCE
2:d=1 hl=2 l= 61 cons: cont [ 0 ]
4:d=2 hl=2 l= 6 prim: OBJECT :1.3.6.1.5.2.2
12:d=2 hl=2 l= 51 cons: cont [ 0 ]
14:d=3 hl=2 l= 49 cons: SEQUENCE
16:d=4 hl=2 l= 13 cons: cont [ 0 ]
18:d=5 hl=2 l= 11 prim: GENERALSTRING
0000 - 54 45 53 54 2e 49 4e 54-45 52 4e TEST.INTERN
31:d=4 hl=2 l= 32 cons: cont [ 1 ]
33:d=5 hl=2 l= 30 cons: SEQUENCE
35:d=6 hl=2 l= 3 cons: cont [ 0 ]
37:d=7 hl=2 l= 1 prim: INTEGER :02
40:d=6 hl=2 l= 23 cons: cont [ 1 ]
42:d=7 hl=2 l= 21 cons: SEQUENCE
44:d=8 hl=2 l= 6 prim: GENERALSTRING
0000 - 6b 72 62 74 67 74 krbtgt
52:d=8 hl=2 l= 11 prim: GENERALSTRING
0000 - 54 45 53 54 2e 49 4e 54-45 52 4e TEST.INTERN
对于 kdc 证书
目前我完全不明白为什么这不起作用。
PS: 我已经将真正的主服务器的 FQDN 重新设置为 XXX,它的 IP 为 XXX_IP。
这是我整理的博客 post,应该可以让您了解如何设置 Kerberos PKINIT 预身份验证机制以使用 X.509 证书对 IPA 用户进行身份验证:
我已经安装了包含 Kerberos 的 FreeIPA 主服务器。此外,我有一台注册了 FreeIPA 的客户端服务器,用于测试 Kerberos 的 PKINIT 功能。 CentOS7 上的所有服务器 运行。
当在 kadmin 中使用 list_principals 作为 testuser@REALMNAME 时,FreeIPA 中存在一个测试用户,并且该用户也列在唯一的现有领域中。
getprinc testuser 也给出 Attributes: REQUIRES_PRE_AUTH.
我严格按照文档创建了 kdc 和客户端证书:https://web.mit.edu/kerberos/www/krb5-latest/doc/admin/pkinit.html。它们已由我自己的 CA 签名,其证书也存在于客户端和主服务器上。
master上的[realm]配置如下:
[realms]
TEST.INTERN = {
kdc = XXX:88
master_kdc = XXX:88
admin_server = XXX:749
default_domain = test.intern
pkinit_anchors = FILE:/etc/krb/ca.pem
pkinit_identity = FILE:/etc/krb/kdc.pem,/etc/krb/kdckey.pem
allow_pkinit = yes
module = pkinit:/usr/lib64/krb5/plugins/preauth/pkinit.so
}
XXX 是主服务器 FQDN。此外,客户端配置如下:
[realms]
TEST.INTERN = {
kdc = XXX:88
master_kdc = XXX:88
admin_server = XXX:749
kpasswd_server = XXX:464
default_domain = test.intern
pkinit_anchors = FILE:/etc/krb/ca.pem
pkinit_identities = FILE:/etc/krb/client.pem,/etc/krb/clientkey.pem
}
AFAIK 我应该能够在客户端上执行 kinit testuser 以获得 Kerberos 票证而无需输入密码。
不幸的是,执行 env KRB5_TRACE=/dev/stdout kinit -V testuser 会产生:
[2988] 1614772826.172614: Getting initial credentials for testuser@TEST.INTERN
[2988] 1614772826.172616: Sending unauthenticated request
[2988] 1614772826.172617: Sending request (170 bytes) to TEST.INTERN
[2988] 1614772826.172618: Resolving hostname XXX
[2988] 1614772826.172619: Initiating TCP connection to stream XXX_IP:88
[2988] 1614772826.172620: Sending TCP request to stream XXX_IP:88
[2988] 1614772826.172621: Received answer (298 bytes) from stream XXX_IP:88
[2988] 1614772826.172622: Terminating TCP connection to stream XXX_IP:88
[2988] 1614772826.172623: Response was from master KDC
[2988] 1614772826.172624: Received error from KDC: -1765328359/Additional pre-authentication required
[2988] 1614772826.172627: Preauthenticating using KDC method data
[2988] 1614772826.172628: Processing preauth types: PA-PK-AS-REQ (16), PA-PK-AS-REP_OLD (15), PA-PK-AS-REQ_OLD (14), PA-FX-FAST (136), PA-ETYPE-INFO2 (19), PA-PKINIT-KX (147), PA-ENC-TIMESTAMP (2), PA-FX-C
OKIE (133)
[2988] 1614772826.172629: Selected etype info: etype aes256-cts, salt ""@0.X)+A92ZBJ*5T", params ""
[2988] 1614772826.172630: Received cookie: MIT
[2988] 1614772826.172631: Preauth module pkinit (147) (info) returned: 0/Success
[2988] 1614772826.172632: PKINIT loading CA certs and CRLs from FILE
[2988] 1614772826.172633: PKINIT client computed kdc-req-body checksum 9/80ADD1F631A328C4895D0B822F96608C303E6743
[2988] 1614772826.172635: PKINIT client making DH request
[2988] 1614772826.172636: Preauth module pkinit (16) (real) returned: 0/Success
[2988] 1614772826.172637: Produced preauth for next request: PA-FX-COOKIE (133), PA-PK-AS-REQ (16)
[2988] 1614772826.172638: Sending request (3475 bytes) to TEST.INTERN
[2988] 1614772826.172639: Resolving hostname XXX
[2988] 1614772826.172640: Initiating TCP connection to stream XXX_IP:88
[2988] 1614772826.172641: Sending TCP request to stream XXX_IP:88
[2988] 1614772826.172642: Received answer (167 bytes) from stream XXX_IP:88
[2988] 1614772826.172643: Terminating TCP connection to stream XXX_IP:88
[2988] 1614772826.172644: Response was from master KDC
[2988] 1614772826.172645: Received error from KDC: -1765328318/Certificate mismatch
kinit: Certificate mismatch while getting initial credentials
主服务器确认了这一点。 /var/log/krb5kdc.log 产生:
Mar 03 13:01:10 XXX krb5kdc[80746](info): Doing certauth authorize for [testuser@TEST.INTERN]
Mar 03 13:01:10 XXX krb5kdc[80746](info): Got cert filter [(userCertificate;binary=...
Mar 03 13:01:10 XXX krb5kdc[80746](info): No matching entry found
Mar 03 13:01:10 XXX krb5kdc[80746](info): preauth (pkinit) verify failure: Certificate mismatch
至此,我真的不知道为什么会出现这种故障。证书已严格按照上面链接的文档创建。
使用 openssl asn1parse -in certificate.pem -strparse OFFSET 检查证书时,根据相应的偏移量,我得到 SubjectAltName,其他名称部分:
openssl asn1parse -dump -in ../client/client.pem -strparse 815
0:d=0 hl=2 l= 48 cons: SEQUENCE
2:d=1 hl=2 l= 46 cons: cont [ 0 ]
4:d=2 hl=2 l= 6 prim: OBJECT :1.3.6.1.5.2.2
12:d=2 hl=2 l= 36 cons: cont [ 0 ]
14:d=3 hl=2 l= 34 cons: SEQUENCE
16:d=4 hl=2 l= 13 cons: cont [ 0 ]
18:d=5 hl=2 l= 11 prim: GENERALSTRING
0000 - 54 45 53 54 2e 49 4e 54-45 52 4e TEST.INTERN
31:d=4 hl=2 l= 17 cons: cont [ 1 ]
33:d=5 hl=2 l= 15 cons: SEQUENCE
35:d=6 hl=2 l= 3 cons: cont [ 0 ]
37:d=7 hl=2 l= 1 prim: INTEGER :01
40:d=6 hl=2 l= 8 cons: cont [ 1 ]
42:d=7 hl=2 l= 6 cons: SEQUENCE
44:d=8 hl=2 l= 4 prim: GENERALSTRING
0000 - 74 65 73 74 75 73 65 72 testuser
用于客户端证书和
openssl asn1parse -dump -in kdc.pem -strparse 832
0:d=0 hl=2 l= 63 cons: SEQUENCE
2:d=1 hl=2 l= 61 cons: cont [ 0 ]
4:d=2 hl=2 l= 6 prim: OBJECT :1.3.6.1.5.2.2
12:d=2 hl=2 l= 51 cons: cont [ 0 ]
14:d=3 hl=2 l= 49 cons: SEQUENCE
16:d=4 hl=2 l= 13 cons: cont [ 0 ]
18:d=5 hl=2 l= 11 prim: GENERALSTRING
0000 - 54 45 53 54 2e 49 4e 54-45 52 4e TEST.INTERN
31:d=4 hl=2 l= 32 cons: cont [ 1 ]
33:d=5 hl=2 l= 30 cons: SEQUENCE
35:d=6 hl=2 l= 3 cons: cont [ 0 ]
37:d=7 hl=2 l= 1 prim: INTEGER :02
40:d=6 hl=2 l= 23 cons: cont [ 1 ]
42:d=7 hl=2 l= 21 cons: SEQUENCE
44:d=8 hl=2 l= 6 prim: GENERALSTRING
0000 - 6b 72 62 74 67 74 krbtgt
52:d=8 hl=2 l= 11 prim: GENERALSTRING
0000 - 54 45 53 54 2e 49 4e 54-45 52 4e TEST.INTERN
对于 kdc 证书
目前我完全不明白为什么这不起作用。
PS: 我已经将真正的主服务器的 FQDN 重新设置为 XXX,它的 IP 为 XXX_IP。
这是我整理的博客 post,应该可以让您了解如何设置 Kerberos PKINIT 预身份验证机制以使用 X.509 证书对 IPA 用户进行身份验证: