[Freeipa-devel] Anonymous PKINIT and kdcproxy
Alexander Bokovoy
abokovoy at redhat.com
Mon Dec 12 09:37:01 UTC 2016
On ma, 12 joulu 2016, Alexander Bokovoy wrote:
>On ma, 12 joulu 2016, Christian Heimes wrote:
>>On 2016-12-12 09:54, Alexander Bokovoy wrote:
>>>On ma, 12 joulu 2016, Christian Heimes wrote:
>>>>Hi Simo,
>>>>
>>>>I'm wondering if we need to change kdcproxy for anon pkinit. What kind
>>>>of Kerberos requests are performed by anon pkinit and to establish a
>>>>FAST tunnel? python-kdcproxy allows only request types AS-REQ, TGS-REQ
>>>>and AP-REQ+KRB-PRV. Responses are not filtered.
>>>Anonymous principal as configured in FreeIPA can only be used to obtain
>>>a TGT, nothing else.
>>>
>>>See https://tools.ietf.org/html/rfc6112 for a spec definition.
>>
>>That doesn't answer my question for me. Or does 'only TGT' imply that
>>request types are limited to AS-REQ and TGS-REQ? RFC 6112 just talks
>>about the two request types.
>You can only obtain a TGT and this TGT can only be used for FAST
>channel. You cannot obtain any service ticket with this TGT.
To close the loop, no changes in kdcproxy are needed because PKINIT is a
pre-authentication scheme and it works just fine with kdcproxy as it is.
I just tested this.
--
/ Alexander Bokovoy
More information about the Freeipa-devel
mailing list