Smart Cards in Java Kerberos

Henry B. Hotz hbhotz at lavenderwine.com
Tue Jun 25 22:43:22 PDT 2013


Even easier.  Just set useTicketCache=true in the JAAS config.

On Jun 25, 2013, at 5:37 PM, Weijun Wang <weijun.wang at oracle.com> wrote:

> Java (at least Oracle JDK) does not support PKINIT.
> 
> Yes, you can do it outside, create a KerberosTicket and a KerberosPrincipal, create a JAAS Subject containing them, and call Subject.doAs() later. It should work.
> 
> On Windows, if you manage to use Windows' own login and have the ticket stored inside LSA, Java should be able to read it. There is a registry key allowtgtsessionkey you need to take care of. Or maybe you can use any third party kinit to save a ccache file which can also be picked up by Java.
> 
> --Max
> 
> On 6/26/13 7:29 AM, Henry B. Hotz wrote:
>> I'm not authoritative, but AFAIK there is no smart card support in Java, though there is pkcs11 support.
>> 
>> If I had to do it, I would do the smart card/PKINIT stuff outside Java, and then let Java use the acquired tgt.
>> 
>> On Jun 25, 2013, at 5:52 AM, Ostap Andrusiv <pifostap at gmail.com> wrote:
>> 
>>> Hi everyone,
>>> 
>>> I've been playing with smart cards and faced some issues.
>>> Long story short:
>>> 
>>> Prerequisites:
>>> 
>>> 	• I set up a basic Kerberos realm via Windows Active Directory.
>>> 	• I managed to successfully login into service via login/password pair using Java Kerberos(Krb5LoginModule), which is provided via JAAS.
>>> Now I try to implement Kerberos login via smart card. Smart card preauthentication in Kerberos is done via AS-REQ/AS-REP messages (PA-PK-AS-REQ/P extensions). Unfortunately, JAAS Kerberos hasn't used the smartcard. As far as I have seen, there were no PA-PK-AS-REQ/P extensions in openjdk sources. Maybe, I missed something.
>>> 
>>> Question:
>>> 
>>> 1. Does Java Kerberos support smart card preauthentication out of the box?
>>> 
>>> 2. If it doesn't, can I somehow extends existing Kerberos module or should I implement whole Kerberos from the ground up?
>>> 
>>> 
>>> 
>>> Thanks in advance,
>>> Ostap Andrusiv
>>> 
>>> 
>>> web: http://andrusiv.com
>>> skype: ostap.andrusiv
>>> ::p!F
>> 



More information about the security-dev mailing list