Kerberos PKINIT - 未找到匹配的条目 preauth (pkinit) 验证失败：证书不匹配

如何解决Kerberos PKINIT - 未找到匹配的条目 preauth (pkinit) 验证失败：证书不匹配

我已经安装了一个包括 Kerberos 的 FreeIPA 主服务器。此外，我有一台注册在 FreeIPA 中的客户端服务器，用于测试 Kerberos 的 PKINIT 功能。所有服务器都运行在 CentOS7 上。 当在 list_principals 中使用 kadmin 作为 testuser@REALMNAME 时，FreeIPA 中存在一个 testuser，并且该用户也列在一个且唯一的现有领域中。

getprinc testuser 也给出 Attributes: REQUIRES_PRE_AUTH。

我严格按照文档创建了 kdc 和客户端证书：https://web.mit.edu/kerberos/www/krb5-latest/doc/admin/pkinit.html。它们已由我自己的 CA 签名，其证书也存在于客户端和主服务器上。

master上的[realm]配置如下：

[realms]
 TEST.INTERN = {
  kdc = XXX:88
  master_kdc = XXX:88
  admin_server = XXX:749
  default_domain = test.intern
  pkinit_anchors = FILE:/etc/krb/ca.pem
  pkinit_identity = FILE:/etc/krb/kdc.pem,/etc/krb/kdckey.pem
  allow_pkinit = yes
  module = pkinit:/usr/lib64/krb5/plugins/preauth/pkinit.so
}

XXX 是主服务器 FQDN。此外，客户端配置如下：

[realms]
  TEST.INTERN = {
    kdc = XXX:88
    master_kdc = XXX:88
    admin_server = XXX:749
    kpasswd_server = XXX:464
    default_domain = test.intern
    pkinit_anchors = FILE:/etc/krb/ca.pem
    pkinit_identities = FILE:/etc/krb/client.pem,/etc/krb/clientkey.pem
  }

AFAIK 我应该能够在客户端上执行 kinit testuser 以获取 Kerberos 票证而无需输入密码。

不幸的是，执行 env KRB5_TRACE=/dev/stdout kinit -V testuser 会产生：

[2988] 1614772826.172614: Getting initial credentials for testuser@TEST.INTERN
[2988] 1614772826.172616: Sending unauthenticated request
[2988] 1614772826.172617: Sending request (170 bytes) to TEST.INTERN
[2988] 1614772826.172618: Resolving hostname XXX
[2988] 1614772826.172619: Initiating TCP connection to stream XXX_IP:88
[2988] 1614772826.172620: Sending TCP request to stream XXX_IP:88
[2988] 1614772826.172621: Received answer (298 bytes) from stream XXX_IP:88
[2988] 1614772826.172622: Terminating TCP connection to stream XXX_IP:88
[2988] 1614772826.172623: Response was from master KDC
[2988] 1614772826.172624: Received error from KDC: -1765328359/Additional pre-authentication required
[2988] 1614772826.172627: Preauthenticating using KDC method data
[2988] 1614772826.172628: Processing preauth types: PA-PK-AS-REQ (16),PA-PK-AS-REP_OLD (15),PA-PK-AS-REQ_OLD (14),PA-FX-FAST (136),PA-ETYPE-INFO2 (19),PA-PKINIT-KX (147),PA-ENC-TIMESTAMP (2),PA-FX-C
OKIE (133)
[2988] 1614772826.172629: Selected etype info: etype aes256-cts,salt ""@0.X)+A92ZBJ*5T",params ""
[2988] 1614772826.172630: Received cookie: MIT
[2988] 1614772826.172631: Preauth module pkinit (147) (info) returned: 0/Success
[2988] 1614772826.172632: PKINIT loading CA certs and CRLs from FILE
[2988] 1614772826.172633: PKINIT client computed kdc-req-body checksum 9/80ADD1F631A328C4895D0B822F96608C303E6743
[2988] 1614772826.172635: PKINIT client making DH request
[2988] 1614772826.172636: Preauth module pkinit (16) (real) returned: 0/Success
[2988] 1614772826.172637: Produced preauth for next request: PA-FX-COOKIE (133),PA-PK-AS-REQ (16)
[2988] 1614772826.172638: Sending request (3475 bytes) to TEST.INTERN
[2988] 1614772826.172639: Resolving hostname XXX
[2988] 1614772826.172640: Initiating TCP connection to stream XXX_IP:88
[2988] 1614772826.172641: Sending TCP request to stream XXX_IP:88
[2988] 1614772826.172642: Received answer (167 bytes) from stream XXX_IP:88
[2988] 1614772826.172643: Terminating TCP connection to stream XXX_IP:88
[2988] 1614772826.172644: Response was from master KDC
[2988] 1614772826.172645: Received error from KDC: -1765328318/Certificate mismatch
kinit: Certificate mismatch while getting initial credentials

主服务器确认了这一点。 /var/log/krb5kdc.log 产生：

Mar 03 13:01:10 XXX krb5kdc[80746](info): Doing certauth authorize for [testuser@TEST.INTERN]
Mar 03 13:01:10 XXX krb5kdc[80746](info): Got cert filter [(userCertificate;binary=...
Mar 03 13:01:10 XXX krb5kdc[80746](info): No matching entry found
Mar 03 13:01:10 XXX krb5kdc[80746](info): preauth (pkinit) verify failure: Certificate mismatch

此时，我真的不知道，为什么会出现这种故障。证书是按照上面链接的文档严格创建的。 在检查带有 openssl asn1parse -in certificate.pem -strparse OFFSET 的证书时，使用相应的偏移量，我得到了 SubjectAltName,othername 部分：

openssl asn1parse -dump -in ../client/client.pem -strparse 815
    0:d=0  hl=2 l=  48 cons: SEQUENCE
    2:d=1  hl=2 l=  46 cons: cont [ 0 ]
    4:d=2  hl=2 l=   6 prim: OBJECT            :1.3.6.1.5.2.2
   12:d=2  hl=2 l=  36 cons: cont [ 0 ]
   14:d=3  hl=2 l=  34 cons: SEQUENCE
   16:d=4  hl=2 l=  13 cons: cont [ 0 ]
   18:d=5  hl=2 l=  11 prim: GENERALSTRING
      0000 - 54 45 53 54 2e 49 4e 54-45 52 4e                  TEST.INTERN
   31:d=4  hl=2 l=  17 cons: cont [ 1 ]
   33:d=5  hl=2 l=  15 cons: SEQUENCE
   35:d=6  hl=2 l=   3 cons: cont [ 0 ]
   37:d=7  hl=2 l=   1 prim: INTEGER           :01
   40:d=6  hl=2 l=   8 cons: cont [ 1 ]
   42:d=7  hl=2 l=   6 cons: SEQUENCE
   44:d=8  hl=2 l=   4 prim: GENERALSTRING
      0000 - 74 65 73 74 75 73 65 72                                       testuser

用于客户端证书和

openssl asn1parse -dump -in kdc.pem -strparse 832
    0:d=0  hl=2 l=  63 cons: SEQUENCE
    2:d=1  hl=2 l=  61 cons: cont [ 0 ]
    4:d=2  hl=2 l=   6 prim: OBJECT            :1.3.6.1.5.2.2
   12:d=2  hl=2 l=  51 cons: cont [ 0 ]
   14:d=3  hl=2 l=  49 cons: SEQUENCE
   16:d=4  hl=2 l=  13 cons: cont [ 0 ]
   18:d=5  hl=2 l=  11 prim: GENERALSTRING
      0000 - 54 45 53 54 2e 49 4e 54-45 52 4e                  TEST.INTERN
   31:d=4  hl=2 l=  32 cons: cont [ 1 ]
   33:d=5  hl=2 l=  30 cons: SEQUENCE
   35:d=6  hl=2 l=   3 cons: cont [ 0 ]
   37:d=7  hl=2 l=   1 prim: INTEGER           :02
   40:d=6  hl=2 l=  23 cons: cont [ 1 ]
   42:d=7  hl=2 l=  21 cons: SEQUENCE
   44:d=8  hl=2 l=   6 prim: GENERALSTRING
      0000 - 6b 72 62 74 67 74                                 krbtgt
   52:d=8  hl=2 l=  11 prim: GENERALSTRING
      0000 - 54 45 53 54 2e 49 4e 54-45 52 4e                  TEST.INTERN

用于 kdc 证书

目前我很不明白为什么这不起作用。

PS：我已经把真正的主服务器的 FQDN 换成了 XXX，它的 IP 换成了 XXX_IP。

版权声明：本文内容由互联网用户自发贡献，该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务，不拥有所有权，不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容， 请发送邮件至 dio@foxmail.com 举报，一经查实，本站将立刻删除。