projects techreports press lab location staff
citi top.2 top.3
citi mid.3
bot.1 bot.2 bot.3

Projects : Smartcard-enabled Kerberos client

Smartcard-enabled Kerberos client

MIT kerberos implementation


Kerberos v5 with a smartcard holding the user's passwords. This is in production-use at CITI using k4 servers. All of the crypto is done on the card.

In the current version, tickets are still stored on the host and crypto operations are restricted to des-md5. Also, the only supported card is Schlumberger's Cyberflex Access.


Because of the restrictions on MIT's Kerberos, we cannot include packages, rpms or other pre-built versions of this product for public consumption.

If your platform is not supported, please download the kerberos source code, and the package below. Install instructions are included in the individual tarballs.


Heimdal implementation


Heimdal is a free Kerberos V implementation. The smartcard patch currently works with version 0.3b and stores a user's password on the card.


Heimdal patch

Apply the patch to the heimdal source and compile with -DSMARTCARD.

OpenBSD binaries

Untar the kit in the root directory
sheep# pwd
sheep# tar xvfzp heimdal-smartcard.tgz



Making your Kerberos card and changing your password

Download the card side utilties and run The card side utilties include pay, and the java applets and source to be loaded on to the card.

alice :) /usr/local/bin/ (username)
Initialize smartcard for (username)

which pay do you want to use? [ /usr/local/bin/pay ]
/* type pathname of pay if did not find it */

which kinit do you want to use? [ /usr/local/bin/kinit ]
/* type pathname of pay if did not find it */

which applet do you want to use? [ ./Krb.bin ]
/usr/local/src/smartcard/Krb.bin /* type pathname of Krb.bin */

using  /usr/local/src/smartcard/Krb.bin 

reader number (1/2/...): 1  /* reader number is 1, as you have only one */

first realm: CITI.UMICH.EDU /* type a K5 realm name */
second realm: UMICH.EDU     /* type another K5 realm name - use same
one if you need only one realm */
Password for (username)@CITI.UMICH.EDU:
(username)@CITI.UMICH.EDU's Password: 
Password for (username)@UMICH.EDU:
(username)@UMICH.EDU's Password: 
/* then pay does the rest. */

Using the kerberos smartcard

/usr/local/bin/kinit -C 0
/usr/local/bin/kinit -C 0 (username)@UMICH.EDU
/usr/local/bin/kinit -C 0 (username)@CITI.UMICH.EDU

will get the TGT for you. Use klist and kdestroy to make sure this is working.

Comments, etc

Send them to projects | techreports | press | lab | location | staff Email address
or call +1 734 763 2929
Copyright © 1996-2013
The Regents of the University of Michigan