directory-kerby mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Colm O hEigeartaigh <cohei...@apache.org>
Subject Anonymous PKINIT support
Date Tue, 20 Jun 2017 11:39:58 GMT
Hi all,

As per the recent email on JWT, I'd like to look at the outstanding issues
surrounding anonymous PKINIT support in Kerby.

a) Last year I raised concerns about the KDC not signing the response:

https://www.mail-archive.com/kerby@directory.apache.org/msg00808.html

Currently, we don't use the private key at all in the KDC when it is
configured as part of KdcConfigKey.PKINIT_IDENTITY. The spec says that:

https://tools.ietf.org/html/rfc6112

"If the KDC's signature is missing in the KDC reply
   (the reply is anonymous), the client MUST reject the returned ticket
   if it cannot authenticate the KDC otherwise."

I don't really see how the client can authenticate the KDC as things stand,
so I think we need to sign the KDC response and enforce a signature on the
client side.

b) From the MIT page:

"If you need to enable anonymity support for TGTs (for use as FAST armor
tickets) without enabling anonymous authentication to application servers,
you can set the variable restrict_anonymous_to_tgt to true in the
appropriate [realms] subsection of the KDC’s kdc.conf file."

Is this supported by Kerby? I'm guessing not, but we should add support for
it.

c) Is there a way to differentiate between anonymous + authenticated PKINIT
in the KDC configuration? What if you don't want to allow the anonymous
case?

Colm.



-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message