[Freeipa-devel] [freeipa PR#62][comment] Configure Anonymous PKINIT on server install
abbra
freeipa-github-notification at redhat.com
Sun Dec 11 13:33:52 UTC 2016
URL: https://github.com/freeipa/freeipa/pull/62
Title: #62: Configure Anonymous PKINIT on server install
abbra commented:
"""
Thanks @simo5. Except SELinux changes this PR is ready to be accepted.
TODO as separate pull requests:
* SELinux policy needs to be updated to allow certmonger to write to /var/kerberos/krb5kdc/:
allow certmonger_t krb5kdc_conf_t:dir { add_name write }
allow certmonger_t krb5kdc_conf_t:file create;
* For CA-less setup we need to add `ipa-pkinit-manage` to allow adding externally provided PKCS#12 package with KDC certificate after the installation
Also, to document the decisions we made when moving forward with this PR, anonymous PKINIT principal is created in all configurations. Its use for non-PKINIT case will be detailed in the privilege separation patchset:
* for embedded CA, Anonymous PKINIT is used for password/2FA login FAST wrapping
* If Anonymous PKINIT does not work (CA-less or external CA case with not configured PKINIT), Kerberos keytab with Anonymous principal will be used for FAST wrapping
* Finally, if both of these cases don't work, privilege separation will degrade 2FA logon.
This allows us to fully utilize Anonymous Kerberos principal potential.
ACK.
"""
See the full comment at https://github.com/freeipa/freeipa/pull/62#issuecomment-266282332
More information about the Freeipa-devel
mailing list