Projects : Smartcard-enabled Kerberos client

Smartcard-enabled Kerberos client

• MIT kerberos implmentation
• heimdal implementation
• Usage

---

MIT kerberos implementation

Description

Kerberos v5 with a smartcard holding the user's passwords. This is in production-use at CITI using k4 servers. All of the crypto is done on the card.

In the current version, tickets are still stored on the host and crypto operations are restricted to des-md5. Also, the only supported card is Schlumberger's Cyberflex Access.

Download

Because of the restrictions on MIT's Kerberos, we cannot include packages, rpms or other pre-built versions of this product for public consumption.

If your platform is not supported, please download the kerberos source code, and the package below. Install instructions are included in the individual tarballs.

• smartcard code and host-side patches : krb5-1.2.1-sc-src.tar.gz

Dependencies

• krb5-1.2.1
• ISO 7816 Library and Applications

---

Heimdal implementation

Description

Heimdal is a free Kerberos V implementation. The smartcard patch currently works with version 0.3b and stores a user's password on the card.

Download

• patch on heimdal 0.3b code.
• openbsd binary package.
• card side utilties for linux can be found here.

Heimdal patch

Apply the patch to the heimdal source and compile with -DSMARTCARD.

OpenBSD binaries

Untar the kit in the root directory
sheep# pwd
sheep# tar xvfzp heimdal-smartcard.tgz

Dependencies

• sc7816 library and applications

---

Usage

Making your Kerberos card and changing your password

Download the card side utilties and run kscinit.sh. The card side utilties include pay, and the java applets and source to be loaded on to the card.

alice :) /usr/local/bin/kscinit.sh (username)
Initialize smartcard for (username)

which pay do you want to use? [ /usr/local/bin/pay ]
/* type pathname of pay if kscinit.sh did not find it */

which kinit do you want to use? [ /usr/local/bin/kinit ]
/* type pathname of pay if kscinit.sh did not find it */

which applet do you want to use? [ ./Krb.bin ]
/usr/local/src/smartcard/Krb.bin /* type pathname of Krb.bin */

using  /usr/local/src/smartcard/Krb.bin 

reader number (1/2/...): 1  /* reader number is 1, as you have only one */

first realm: CITI.UMICH.EDU /* type a K5 realm name */
second realm: UMICH.EDU     /* type another K5 realm name - use same
one if you need only one realm */
Password for (username)@CITI.UMICH.EDU:
(username)@CITI.UMICH.EDU's Password: 
Password for (username)@UMICH.EDU:
(username)@UMICH.EDU's Password: 
/* then pay does the rest. */

Using the kerberos smartcard

/usr/local/bin/kinit -C 0
/usr/local/bin/kinit -C 0 (username)@UMICH.EDU
/usr/local/bin/kinit -C 0 (username)@CITI.UMICH.EDU

will get the TGT for you. Use klist and kdestroy to make sure this is working.

---

Comments, etc

Send them to smartcards@umich.edu.