[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Was a smartcard used to get the ticket?
Phil Fisher wrote:
> Is it possible to find out if a smartcard was used to get a ticket?
I too am interested in this issue, and this was brought up on the ietf krb-wg
mailing list, and a discussion on "levels of assurance" was held after the
working group meeting a few weeks ago in Chicago.
There is a hw-authent bit in the TicketFlags, the the KDC should set if a hardware
device was used to authenticate. But for some this is not enought information.
Some people where interested in adding SAML assertions to the auth-data.
Others where interested in extending the PKINIT (RFC 4556) auth-data to also
include either the cert actually used or at least an ExternalPrincipalIdentifier
of the user certificate.
> A ticket is obtained with kinit. This may be with or without the -C
> PKCS11:... option to use a smartcard.
> My application then uses gss_init_sec_context() with GSS_C_NO_CREDENTIAL
> to get the default. It would be useful to know if a smartcard was used
> so that:
> 1) an administrator can insist on smartcards being used.
> 2) the application can adjust its response to a smartcard being removed.
Are you assuming the application is being run on the same machine? But
it is the KDC that needs to make the call.
The only way a KDC can know if a smart card was actually being use is by
trusting the CA that issued the certificate, that the private key associated
with the certificate is on a smartcard, and can not be read off the card.
(Other wise the user could have copied the cert and key and used software.)
> I've not found anything relevant in the documentation or with Google.
> nm on libgssapi.so shows gsskrb5_extract_authz_data_from_sec_context()
> which looks promising, but I'm not sure what it gives or how to use it.
> I assume that it returns an AuthorizationData structure, but I'm not
> clear if this contains the information I need or what value the ad_type
> parameter should have.
> Is what I want possible? Is
> gsskrb5_extract_authz_data_from_sec_context() the right way to get the
> information? Is its use documented somewhere?
I know Windows AD will set the hw-authent bit, if you use a smart card,
but not sure if Heimdal KDC will set it, or if the Heimdal klist will show it.
(The hw-authent could also imply an OTP or other hardware device, and not
But is is also not clear if the KDC will only set the hw-authent bit if
if the KDC has the requires-hw-auth set on the user entry. (I don't have
a heimdal KDC.)
So today your best bet is to look at the TicketFlags. It looks like the Heimdal
gsskrb5_inquire_sec_context_by_oid with the OID of GSS_KRB5_GET_TKT_FLAGS_X
will return them.
If so, and your KDC's only hardware devices are smart cards from CAs using
only smartcard card, then this could be your bit.
> I'm using Heimdal 1.0.
> Many thanks,
> Get Pimped! FREE emoticon packs from Windows Live -
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439