[Freeipa-devel] [freeipa PR#62][comment] Configure Anonymous PKINIT on server install

Mon Nov 28 16:58:11 UTC 2016

  URL: https://github.com/freeipa/freeipa/pull/62
Title: #62: Configure Anonymous PKINIT on server install

splashx commented:
"""
@simo5 done, however not successfully. It's [not really my first time](http://www.securiteam.com/securitynews/6C02X0AHGA.html) on the pkinit rodeo, so I'm wondering if FreeIPA's got something on top. I've got one freeipa instance for testing purposes, so not fussing with several servers. For debug purposes, I have done:

/etc/kdc.conf
```
[kdcdefaults]
 kdc_ports = 88
 kdc_tcp_ports = 88
+ restrict_anonymous_to_tgt = true

[realms]
 REALM.EU = {
  master_key_type = aes256-cts
  max_life = 7d
  max_renewable_life = 14d
  acl_file = /etc/krb5kdc/kadm5.acl
  dict_file = /usr/share/dict/words
  default_principal_flags = +preauth
;  admin_keytab = /etc/krb5kdc/kadm5.keytab
+   pkinit_identity = FILE:/var/lib/krb5kdc/kdc.pem,/var/lib/krb5kdc/kdckey.pem  
+   pkinit_eku_checking = none
 }
```

The anonymous user (created manually first with`-rankey`, modified with `-requires_preauth` and then later with `purgekeys -all WELLKNOWN/ANONYMOUS at REALM.EU`) looks like this:
```
root at ipa01:/var/lib/krb5kdc# kadmin.local -x ipa-setup-override-restrictions
Authenticating as principal admin/admin at REALM.EU with password.
kadmin.local:  getprinc WELLKNOWN/ANONYMOUS at REALM.EU
Principal: WELLKNOWN/ANONYMOUS at REALM.EU
Expiration date: [never]
Last password change: Mon Nov 28 12:46:41 UTC 2016
Password expiration date: [none]
Maximum ticket life: 1 day 00:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Mon Nov 28 16:04:32 UTC 2016 (admin/admin at REALM.EU)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 0
MKey: vno 1
Attributes:
Policy: [none]
```

I made sure the certificate's common name matches the fqdn, still getting:

```
root at ubuntu:~# KRB5_TRACE=/dev/stdout kinit -n
[10593] 1480350802.381306: Getting initial credentials for WELLKNOWN/ANONYMOUS at REALM.EU
[10593] 1480350802.384075: Sending request (178 bytes) to REALM.EU
[10593] 1480350802.433623: Retrying AS request with master KDC
[10593] 1480350802.434688: Getting initial credentials for WELLKNOWN/ANONYMOUS at REALM.EU
[10593] 1480350802.435476: Sending request (178 bytes) to REALM.EU (master)
[10593] 1480350802.436191: Resolving hostname kdc.domain.eu
[10593] 1480350802.462072: Sending initial UDP request to dgram 10.235.2.25:88
[10593] 1480350803.465087: Resolving hostname kdc.domain.eu
[10593] 1480350803.489656: Sending initial UDP request to dgram 10.235.2.25:750
[10593] 1480350804.491058: Initiating TCP connection to stream 10.235.2.25:88
[10593] 1480350804.515736: Sending TCP request to stream 10.235.2.25:88
[10593] 1480350804.547579: Received answer (269 bytes) from stream 10.235.2.25:88
[10593] 1480350804.547663: Received error from KDC: -1765328359/Additional pre-authentication required
[10593] 1480350804.547708: Processing preauth types: 16, 15, 14, 136, 147, 133
[10593] 1480350804.547713: Received cookie: MIT
[10593] 1480350804.547744: Preauth module pkinit (147) (info) returned: 0/Success
[10593] 1480350804.547758: PKINIT client has no configured identity; giving up
[10593] 1480350804.547765: Preauth module pkinit (16) (real) returned: 22/Invalid argument
[10593] 1480350804.547776: PKINIT client has no configured identity; giving up
[10593] 1480350804.547782: Preauth module pkinit (14) (real) returned: 22/Invalid argument
[10593] 1480350804.547793: PKINIT client has no configured identity; giving up
[10593] 1480350804.547798: Preauth module pkinit (14) (real) returned: 22/Invalid argument
kinit: Invalid argument while getting initial credentials
root at ubuntu:~# 
```

Any thoughts would be helpful.

Thanks in advance
"""

See the full comment at https://github.com/freeipa/freeipa/pull/62#issuecomment-263324302