[Freeipa-devel] Anonymous PKINIT and kdcproxy
Christian Heimes
cheimes at redhat.com
Mon Dec 12 09:46:38 UTC 2016
On 2016-12-12 10:37, Alexander Bokovoy wrote:
> On ma, 12 joulu 2016, Alexander Bokovoy wrote:
>> On ma, 12 joulu 2016, Christian Heimes wrote:
>>> On 2016-12-12 09:54, Alexander Bokovoy wrote:
>>>> On ma, 12 joulu 2016, Christian Heimes wrote:
>>>>> Hi Simo,
>>>>>
>>>>> I'm wondering if we need to change kdcproxy for anon pkinit. What kind
>>>>> of Kerberos requests are performed by anon pkinit and to establish a
>>>>> FAST tunnel? python-kdcproxy allows only request types AS-REQ, TGS-REQ
>>>>> and AP-REQ+KRB-PRV. Responses are not filtered.
>>>> Anonymous principal as configured in FreeIPA can only be used to obtain
>>>> a TGT, nothing else.
>>>>
>>>> See https://tools.ietf.org/html/rfc6112 for a spec definition.
>>>
>>> That doesn't answer my question for me. Or does 'only TGT' imply that
>>> request types are limited to AS-REQ and TGS-REQ? RFC 6112 just talks
>>> about the two request types.
>> You can only obtain a TGT and this TGT can only be used for FAST
>> channel. You cannot obtain any service ticket with this TGT.
> To close the loop, no changes in kdcproxy are needed because PKINIT is a
> pre-authentication scheme and it works just fine with kdcproxy as it is.
> I just tested this.
Alexander, thanks for your tests!
I have created an issue to add test cases to kdcproxy to ensure that we
stay compatible with PKINIT, https://github.com/latchset/kdcproxy/issues/23
Christian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20161212/60ce68ac/attachment.sig>
More information about the Freeipa-devel
mailing list