...
В файле конфигурации сервера /etc/krb5.conf указать
| Code Block |
|---|
| language | bash | title | /etc/krb5.conf |
|---|
|
[domain_realm]
.aktiv-test.ru = AKTIV-TEST
aktiv-test.ru = AKTIV-TEST |
...
| Code Block |
|---|
|
$ kinit <username>
...
$ klist
...
$ kdestroy |
Клиент
Загрузим rtengine для openssl из sdk и поместим в папку с энджинами
...
...
Установим pkcs11 модуль rtpkcs11ecp.so
...
В файле конфигурации клиента /etc/krb5.conf указать
| Code Block |
|---|
| language | bash | title | /etc/krb5.conf |
|---|
|
[domain_realm]
...
.aktiv-test.ru = AKTIV-TEST
aktiv-test.ru = AKTIV-TEST |
...
Создадим файл pkinit_extensions со следующим содержимым
| Code Block |
|---|
| language | bash |
|---|
| title | pkinit_extensions |
|---|
| collapse | true |
|---|
|
[ kdc_cert ]
basicConstraints=CA:FALSE
# Here are some examples of the usage of nsCertType. If it is omitted
keyUsage = nonRepudiation, digitalSignature, keyEncipherment, keyAgreement
#Pkinit EKU
extendedKeyUsage = 1.3.6.1.5.2.3.5
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
# Copy subject details
issuerAltName=issuer:copy
# Add id-pkinit-san (pkinit subjectAlternativeName)
subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:kdc_princ_name
[kdc_princ_name]
realm = EXP:0, GeneralString:${ENV::REALM}
principal_name = EXP:1, SEQUENCE:kdc_principal_seq
[kdc_principal_seq]
name_type = EXP:0, INTEGER:1
name_string = EXP:1, SEQUENCE:kdc_principals
[kdc_principals]
princ1 = GeneralString:krbtgt
princ2 = GeneralString:${ENV::REALM}
[ client_cert ]
# These extensions are added when 'ca' signs a request.
basicConstraints=CA:FALSE
keyUsage = digitalSignature, keyEncipherment, keyAgreement
extendedKeyUsage = 1.3.6.1.5.2.3.4
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:princ_name
# Copy subject details
issuerAltName=issuer:copy
[princ_name]
realm = EXP:0, GeneralString:${ENV::REALM}
principal_name = EXP:1, SEQUENCE:principal_seq
[principal_seq]
name_type = EXP:0, INTEGER:1
name_string = EXP:1, SEQUENCE:principals
[principals]
princ1 = GeneralString:${ENV::CLIENT} |
...
Включим preauth на сервере. Для этого опишем realm AKTIV-TEST в файле /etc/krb5kdc/kdc.conf
| Code Block |
|---|
| language | bash | title | /etc/krb5kdc/kdc.conf |
|---|
|
[realms]
AKTIV-TEST = {
database_name = /var/lib/krb5kdc/principal
admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
acl_file = /etc/krb5kdc/kadm5.acl
key_stash_file = /etc/krb5kdc/stash
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
master_key_type = des3-hmac-sha1
supported_enctypes = aes256-cts:normal arcfour-hmac:normal des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm des:afs3
default_principal_flags = +preauth
pkinit_anchors = FILE:/etc/krb5/cacert.pem
pkinit_identity = FILE:/etc/krb5/kdc.pem,/etc/krb5/kdckey.pem
} |
...
Сгенерируем ключевую пару клиента. Создаем заявку на сертификат.
| Code Block |
|---|
|
# не забываем про ID!
$ pkcs11-tool --module /usr/lib/librtpkcs11ecp.so --keypairgen --key-type rsa:2048 -l --id 45
openssl
OpenSSL> engine dynamic -pre SO_PATH:/usr/lib/x86_64-linux-gnu/engines-1.1/pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:librtpkcs11ecp.so
...
OpenSSL> req -engine pkcs11 -new -key 45 -keyform engine -out client.req -subj "/C=RU/ST=Moscow/L=Moscow/O=Aktiv/OU=dev/CN=testuser/emailAddress=testuser@mail.com" |
...
Изменим файл конфигурации /etc/krb5.conf
| Code Block |
|---|
| language | bash | title | /etc/krb5.conf |
|---|
|
[libdefaults]
default_realm = <realm>
pkinit_anchors = FILE:/etc/krb5/cacert.pem
# для аутентификации по локальному ключу
# pkinit_identities = FILE:/etc/krb5/client.pem,/etc/krb5/clientkey.pem
# для аутентификации по токену
pkinit_identities = PKCS11:/usr/lib/librtpkcs11ecp.so |
...