Smart Cards in Java Kerberos (original) (raw)

Henry B. Hotz hbhotz at lavenderwine.com
Wed Jun 26 05:43:22 UTC 2013

Even easier. Just set useTicketCache=true in the JAAS config.

On Jun 25, 2013, at 5:37 PM, Weijun Wang <weijun.wang at oracle.com> wrote:

Java (at least Oracle JDK) does not support PKINIT.

Yes, you can do it outside, create a KerberosTicket and a KerberosPrincipal, create a JAAS Subject containing them, and call Subject.doAs() later. It should work. On Windows, if you manage to use Windows' own login and have the ticket stored inside LSA, Java should be able to read it. There is a registry key allowtgtsessionkey you need to take care of. Or maybe you can use any third party kinit to save a ccache file which can also be picked up by Java. --Max On 6/26/13 7:29 AM, Henry B. Hotz wrote: I'm not authoritative, but AFAIK there is no smart card support in Java, though there is pkcs11 support.

If I had to do it, I would do the smart card/PKINIT stuff outside Java, and then let Java use the acquired tgt. On Jun 25, 2013, at 5:52 AM, Ostap Andrusiv <pifostap at gmail.com> wrote:

Hi everyone,

I've been playing with smart cards and faced some issues. Long story short: Prerequisites: • I set up a basic Kerberos realm via Windows Active Directory. • I managed to successfully login into service via login/password pair using Java Kerberos(Krb5LoginModule), which is provided via JAAS. Now I try to implement Kerberos login via smart card. Smart card preauthentication in Kerberos is done via AS-REQ/AS-REP messages (PA-PK-AS-REQ/P extensions). Unfortunately, JAAS Kerberos hasn't used the smartcard. As far as I have seen, there were no PA-PK-AS-REQ/P extensions in openjdk sources. Maybe, I missed something. Question: 1. Does Java Kerberos support smart card preauthentication out of the box? 2. If it doesn't, can I somehow extends existing Kerberos module or should I implement whole Kerberos from the ground up?

Thanks in advance, Ostap Andrusiv web: http://andrusiv.com skype: ostap.andrusiv ::p!F

More information about the security-dev mailing list