Smartcard-enabled Kerberos client
Kerberos v5 with a smartcard holding the user's passwords. This is in production-use at CITI using k4 servers. All of the crypto is done on the card.
In the current version, tickets are still stored on the host and crypto operations are restricted to des-md5. Also, the only supported card is Schlumberger's Cyberflex Access.
Because of the restrictions on MIT's Kerberos, we cannot include packages, rpms or other pre-built versions of this product for public consumption.
If your platform is not supported, please download the kerberos source code, and the package below. Install instructions are included in the individual tarballs.
Heimdal is a free Kerberos V implementation. The smartcard patch currently works with version 0.3b and stores a user's password on the card.
Apply the patch to the heimdal source and compile with -DSMARTCARD.
Untar the kit in the root directory
Making your Kerberos card and changing your password
Download the card side utilties and run kscinit.sh. The card side utilties include pay, and the java applets and source to be loaded on to the card.
alice :) /usr/local/bin/kscinit.sh (username) Initialize smartcard for (username) which pay do you want to use? [ /usr/local/bin/pay ] /* type pathname of pay if kscinit.sh did not find it */ which kinit do you want to use? [ /usr/local/bin/kinit ] /* type pathname of pay if kscinit.sh did not find it */ which applet do you want to use? [ ./Krb.bin ] /usr/local/src/smartcard/Krb.bin /* type pathname of Krb.bin */ using /usr/local/src/smartcard/Krb.bin reader number (1/2/...): 1 /* reader number is 1, as you have only one */ first realm: CITI.UMICH.EDU /* type a K5 realm name */ second realm: UMICH.EDU /* type another K5 realm name - use same one if you need only one realm */ Password for (username)@CITI.UMICH.EDU: (username)@CITI.UMICH.EDU's Password: Password for (username)@UMICH.EDU: (username)@UMICH.EDU's Password: /* then pay does the rest. */
Using the kerberos smartcard
/usr/local/bin/kinit -C 0 /usr/local/bin/kinit -C 0 (username)@UMICH.EDU /usr/local/bin/kinit -C 0 (username)@CITI.UMICH.EDU
will get the TGT for you. Use klist and kdestroy to make sure this is working.
Send them to firstname.lastname@example.org.