[Pubcookie-users] Pubcookie 3.0.0b3 installation issues
Scott Adkins
adkinss at ohio.edu
Thu Jan 16 11:30:23 PST 2003
Okay, I just installed it on our Tru64 5.1a Cluster system and can't get
keyclient to generate the DES key as the documentation indicates. First,
let me describe the directory structure:
/usr/local/pubcookie:
drwxr-xr-x root system 8192 Jan 16 11:41 bin
-rw-r--r-- root system 720 Jan 16 13:06 config
drwxr-xr-x root system 8192 Jan 16 12:56 keys
drwxr-xr-x root system 8192 Jan 16 11:39 login
drwxr-xr-x root system 8192 Jan 16 11:39 login_templates
/usr/local/pubcookie/bin:
-rwxr-xr-x root system 280016 Jan 16 11:41 keyclient
-rwxr-xr-x root system 289264 Jan 16 11:41 keyserver
/usr/local/pubcookie/keys:
-rw-r--r-- root system 899 Jan 16 11:52 ginkgo.cert
-rw-r--r-- root system 891 Jan 16 11:52 ginkgo.key
-rw-r--r-- root system 1285 Jan 16 11:36 pubcookie_granting.cert
-rw-r--r-- root system 887 Jan 16 11:36 pubcookie_granting.key
-rw-r--r-- root system 1281 Jan 16 12:49 verisign.ca
/usr/local/pubcookie/login:
-rwxr-xr-x root system 998336 Jan 16 11:39 index.cgi
/usr/local/pubcookie/login_templates:
<bunch of stuff in it>
My config file is as follows:
debug: 9
logging_level: 20
login_host: ginkgo.cats.ohiou.edu
login_uri: https://ginkgo.cats.ohiou.edu/cgi-bin/login
enterprise_domain: .cats.ohiou.edu
keymgt_uri: https://ginkgo.cats.ohiou.edu:2222
basic_verifier: alwaystrue
ssl_key_file: /usr/local/pubcookie/keys/ginkgo.key
ssl_cert_file: /usr/local/pubcookie/keys/ginkgo.cert
ssl_ca_file: /usr/local/pubcookie/keys/verisign.ca
The /etc/services and /etc/inetd.conf entries are as follows:
2222 stream tcp nowait root /usr/local/pubcookie/bin/keyserver keyserver
Finally, the ginkgo.key and ginkgo.cert files are the same files used by
our web server. The verisign.ca file was created from what I found at the
following web location (which I think should be listed in the docs):
http://www.verisign.com/support/install/intermediate.html
I had a lot of trouble with the installation. Some of the details include
the following:
./configure --with-apxs=/usr/local/apache/ginkgo/bin/apxs \
--with-ssl-dir=/usr/local/ssl --enable-login --enable-krb5 \
--with-krb5-dir=/usr/local/kerberos
The configuration process found the krb5 libraries, but then couldn't
find krb5_init_context() when linking with -lkrb5. I haven't tracked this
down yet, but I do know the function is there. I modified the Makefile
and added "-lkrb5 -lk5crypto -lcom_err" to the end of LOGINLIBS in order
to get things to run. When typing "make", it complained about not knowing
how to build ./index.cgi. I had to type "make index.cgi" to get that to
work. Once that was done, then I could type "make" and get the rest of it
compiled.
The installation process is all messed up. I had to modify the Makefile
and put /usr/local/apache/ginkgo/bin/apxs on the APXS line, as the config
process above didn't seem to get that info into the Makefile when it was
built. As for the "make install", the ./install-sh program wouldn't even
run properly. I had to remove the -b and -p command line switches off of
the install-sh line in the Makefile before it would do a halfway decent
job of installing... even so, keyclient made it to /usr/local/pubcookie
and keyserver didn't even make it. I created a bin directory and moved
both of them there.
Anyways, I definitely think the installation process was a bit on the rough
side, but hey, it is beta. I don't know if the problems were due to the
beta nature of the software, or Tru64 was causing problems.
So, I created the pubcookie_granting certificate and key files without
any problems (following directions). I went to verisign's web site and
downloaded the intermediate CA certificate. I copied the SSL certificates
being used from the web server over as well. Modified inetd.conf and put
the proper entry there and HUP'd it. Telnet 2222 shows it connects and
then drops the connection.
Next the instructions indicate I should run keyclient to create the initial
DES key. This is where things totally break. It sits there for a minute
and I finally get the following error (by the way, I ran this as root):
SSL_write failed:
1458808:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake
failure:s3_pkt.c:514:
In the syslog, the only entries that show up are the following:
Jan 16 14:25:51 ginkgo2a syslog: security_init: hello
Jan 16 14:25:51 ginkgo2a syslog: security_init: goodbye
Jan 16 14:25:53 ginkgo2a syslog: security_init: hello
Jan 16 14:25:53 ginkgo2a syslog: security_init: goodbye
Jan 16 14:25:56 ginkgo2a syslog: verifying peer certificate... ok=0
Jan 16 14:25:56 ginkgo2a syslog: verify error:num=20:unable to get local
issuer certificate
Jan 16 14:25:56 ginkgo2a syslog: SSL_accept: error:140890B2:SSL routines:
SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
I have tried various things and can't seem to get past this. The stuff is
linked against the shared libraries of OpenSSL 0.9.6e. I have trussed the
keyclient process and can see that it finds all 5 files and opens them
without any problems in the /usr/local/pubcookie/keys directory. So, I am
right now without a clue as to where to go from here.
With debugging sat as high as it is, shouldn't I see more? Or would I only
see more when I am accessing this stuff through the web server mechanism?
Thanks,
Scott
--
+-----------------------------------------------------------------------+
Scott W. Adkins http://www.cns.ohiou.edu/~sadkins/
UNIX Systems Engineer mailto:adkinss at ohio.edu
ICQ 7626282 Work (740)593-9478 Fax (740)593-1944
+-----------------------------------------------------------------------+
PGP Public Key available at http://www.cns.ohiou.edu/~sadkins/pgp/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 239 bytes
Desc: not available
Url : http://mailman1.u.washington.edu/pipermail/pubcookie-users/attachments/20030116/c4396ea8/attachment.bin
More information about the pubcookie-users
mailing list