[38055] in Kerberos
Re: certificate revocation check for PKINIT in KDC
daemon@ATHENA.MIT.EDU (Jim Shi)
Thu Aug 10 11:17:12 2017
MIME-version: 1.0
From: Jim Shi <hanmao_shi@apple.com>
Message-id: <39C6F39D-ECD7-47C9-9015-0AE6A57CED56@apple.com>
Date: Thu, 10 Aug 2017 08:16:50 -0700
In-reply-to: <c0775836-d1c3-9f26-d4db-63ff7ac48508@gmail.com>
To: tseegerkrb <tseegerkrb@gmail.com>
Cc: kerberos@mit.edu
Content-Type: multipart/mixed; boundary="===============8703579471561267405=="
Errors-To: kerberos-bounces@mit.edu
--===============8703579471561267405==
Content-type: multipart/signed;
boundary="Apple-Mail=_10919F93-6C21-449B-8DA9-B4A465541601";
protocol="application/pkcs7-signature"; micalg=sha1
--Apple-Mail=_10919F93-6C21-449B-8DA9-B4A465541601
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
charset=us-ascii
Greg:
I thought ocsp was supported. Good to know it is not.
Thorsten:
Thanks for the info.
Jim
> On Aug 10, 2017, at 3:53 AM, tseegerkrb <tseegerkrb@gmail.com> wrote:
>=20
> On 10.08.2017 06:55, Greg Hudson wrote:
>> On 08/08/2017 02:11 PM, Jim Shi wrote:
>>> Is there any document how to configure certificate revocation check =
for PKINIT in KDC?
>> I believe the only documentation we have for this is in the man page =
for
>> kdc.conf, which says:
>>=20
>> pkinit_revoke
>> Specifies the location of Certificate Revocation List (CRL)
>> information to be used by the KDC when verifying the validity of
>> client certificates. This option may be specified multiple times.
>>=20
>> The CRL file(s) have to be maintained out of band (we do not have =
OCSP
>> support; you might see documentation for a pkinit_kdc_ocsp variable =
but
>> it isn't implemented). If I read the code correctly, CRL files are =
only
>> read on KDC startup, so the KDC must be restarted to update revoked
>> certs. CRL files are expected to be in PEM format.
>> ________________________________________________
>> Kerberos mailing list Kerberos@mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>=20
> Hello,
> if you set this up, a little warning at least on debian and ubuntu the
> option "pkinit_require_crl_checking =3D true" does not work as =
expected.=20
> If it set to true you get the message the certificate status is =
unknown (or something similar).
> So if you can not authenticate with the certs try setting =
'pkinit_require_crl_checking' false.
> This will deny revoked certificates too.
>=20
> ...
> pkinit_revoke =3D FILE:/etc/krb5kdc/TNTNET_LOCAL_PKINIT_CA.crl
> #pkinit_revoke =3D /etc/krb5kdc/
> # If pkinit_require_crl_checking is set to 'true'
> # login always fails
> pkinit_require_crl_checking =3D false
> }
>=20
> For testing and playing around i made a bash script to install a =
multimaster kerberos server with openldap backend.
> The script setup pkinit too. If you wanna take a look you can find it =
here: https://wp.tntnet.eu/?p=3D112
>=20
> Regards
> Thorsten
>=20
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
--Apple-Mail=_10919F93-6C21-449B-8DA9-B4A465541601
Content-Disposition: attachment;
filename=smime.p7s
Content-Type: application/pkcs7-signature;
name=smime.p7s
Content-Transfer-Encoding: base64
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIJzTCCBEAw
ggMooAMCAQICAwI6dTANBgkqhkiG9w0BAQsFADBCMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2Vv
VHJ1c3QgSW5jLjEbMBkGA1UEAxMSR2VvVHJ1c3QgR2xvYmFsIENBMB4XDTE0MDYxNjE1NDI0M1oX
DTIyMDUyMDE1NDI0M1owYjEcMBoGA1UEAxMTQXBwbGUgSVNUIENBIDUgLSBHMTEgMB4GA1UECxMX
Q2VydGlmaWNhdGlvbiBBdXRob3JpdHkxEzARBgNVBAoTCkFwcGxlIEluYy4xCzAJBgNVBAYTAlVT
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA8IoIuiwTXFrxmP0xWWbCVnp+QCpMlMlo
trMjvWAbO+f9PV1wJsU6qrDKaWQLYj5J6UwFIb409KpzIRMxhOjO7zjPV+nby87RbfrIgZItIs4V
fn6xB6yIxxiSwZbGDJAmF1VfGRslz55RNPrz57EceBja5DkakRvC36gAW19OxCK0umTiSne67Szr
/othlvAehC10CnsXzcPuAG7XZnmLUOlPr6Y9kTEvyocrz/cISRSKjmJ9rVaqlWLj6WtOZEHiTyL3
S1bxLKhxETgJi5e5CL/PMCaDQJBjGrZpunm3rlnsaw2ER6euC0dMBvt2gml7XiNgUjXQrEYc6qC2
WovZ7QIDAQABo4IBHTCCARkwHwYDVR0jBBgwFoAUwHqYaI2J+6sFZAwRfap9ZbjKzE4wHQYDVR0O
BBYEFFYzkC+d9NIw0A1iJRN4HSGnURIPMBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQD
AgEGMDUGA1UdHwQuMCwwKqAooCaGJGh0dHA6Ly9nLnN5bWNiLmNvbS9jcmxzL2d0Z2xvYmFsLmNy
bDAuBggrBgEFBQcBAQQiMCAwHgYIKwYBBQUHMAGGEmh0dHA6Ly9nLnN5bWNkLmNvbTBMBgNVHSAE
RTBDMEEGCmCGSAGG+EUBBzYwMzAxBggrBgEFBQcCARYlaHR0cDovL3d3dy5nZW90cnVzdC5jb20v
cmVzb3VyY2VzL2NwczANBgkqhkiG9w0BAQsFAAOCAQEAmPq/I35Q2txtmVqXYeOiZwB1I5ivn60h
Nah4i6OvHDoeQOCEOWqE1dSon/69sgd2dFCwv2oAGfS90vZVfZMMFM0T7MUxZrT0UFBx3t78zjOf
/uUUpRdMEKTZOn6k5+C9U3/96oyAVXy8lagfxzBBG5L41+VCuXHXKXBEVULVdxK1gK1VX8Nbk8Bb
1pfHjTFJtzCIM9jGUBfBsJQMiOMzKK0wBAVt3CPNdk8c0LQXegRCC7Pb5Du+fm3l4WCRfiTR327A
yZcmFwPZ7FtRX40oyQ4lllyYARAZaxdacoXwWnAQWUpDhaJs+C2YTOvjIHPpEuoDagazvUHKHFff
H/XENzCCBYUwggRtoAMCAQICCB8vEn6RR+QQMA0GCSqGSIb3DQEBCwUAMGIxHDAaBgNVBAMTE0Fw
cGxlIElTVCBDQSA1IC0gRzExIDAeBgNVBAsTF0NlcnRpZmljYXRpb24gQXV0aG9yaXR5MRMwEQYD
VQQKEwpBcHBsZSBJbmMuMQswCQYDVQQGEwJVUzAeFw0xNjAzMDcyMzI2MzFaFw0xOTA0MDYyMzI2
MzFaMFYxHTAbBgNVBAMMFGhhbm1hb19zaGlAYXBwbGUuY29tMRMwEQYDVQQKDApBcHBsZSBJbmMu
MRMwEQYDVQQIDApDYWxpZm9ybmlhMQswCQYDVQQGEwJVUzCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBAJK1eHKL3ZdrDSWjm/7Tt83xvdKdoqF3SzgvXlNE+LyYKF7iUZXNj9IV2yA0uaG2
4oHVDhnIuj7/jiF6vm6dPnb4Efl0BEGyeyGfRKhGNvWsG9pxlzmVDVo4KQyzh6SsDrO8uTDxYB/t
wsQye1viJfUBzYm17/kSogCwhvJ0P0W48DOTI5EGfMp4Z4gbPOXqMLuDD8RyT8KCklH6jsz9hieA
ffKTde8Cg2XpFkiT6w+QdpRApVLR+wPpz3WFDQA6vEwIW2T3cRPExxllqYRHzHTpDMBJJjZk31Vl
FI43Y0j5Sc0HZyOQ3/Wn/ukSLDbKx/e1QiQuq/CgFS0QJNyL9S0CAwEAAaOCAkkwggJFMEgGCCsG
AQUFBwEBBDwwOjA4BggrBgEFBQcwAYYsaHR0cDovL29jc3AuYXBwbGUuY29tL29jc3AwNC1hcHBs
ZWlzdGNhNWcxMDEwHQYDVR0OBBYEFCxomMXxV2or+O4YZlpM9K1W2BNKMAwGA1UdEwEB/wQCMAAw
HwYDVR0jBBgwFoAUVjOQL5300jDQDWIlE3gdIadREg8wggEqBgNVHSAEggEhMIIBHTCCARkGCyqG
SIb3Y2QFCwUBMIIBCDCBygYIKwYBBQUHAgIwgb0MgbpSZWxpYW5jZSBvbiB0aGlzIGNlcnRpZmlj
YXRlIGFzc3VtZXMgYWNjZXB0YW5jZSBvZiBhbnkgYXBwbGljYWJsZSB0ZXJtcyBvZiB1c2UgYW5k
IGNlcnRpZmljYXRpb24gcHJhY3RpY2Ugc3RhdGVtZW50cy4gVGhpcyBjZXJ0aWZpY2F0ZSBzaGFs
bCBub3Qgc2VydmUgYXMsIG9yIHJlcGxhY2UgYSB3cml0dGVuIHNpZ25hdHVyZS4wOQYIKwYBBQUH
AgEWLWh0dHA6Ly93d3cuYXBwbGUuY29tL2NlcnRpZmljYXRlYXV0aG9yaXR5L3JwYTA3BgNVHR8E
MDAuMCygKqAohiZodHRwOi8vY3JsLmFwcGxlLmNvbS9hcHBsZWlzdGNhNWcxLmNybDAOBgNVHQ8B
Af8EBAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUHAwQwHwYDVR0RBBgwFoEUaGFubWFvX3NoaUBhcHBs
ZS5jb20wDQYJKoZIhvcNAQELBQADggEBAB/igv3uJbbNrqLGROmlmJkSg+Ud+SHYT5cClfmLKLIK
11r3+vzyloYxhNAkfIVTk7gk/Vn/C919sGB7TOCd/TVkroBY1okiZ7X8FxVQmq+5sw0DH+qMqlmb
T/qk6dBWzw67PFI/hCPcdydcPjyz4FxjKP19Vn0f++8Y0CJ+dL4vZG3+AGifJgWUI9RSjq4Q3THc
PtVYDw4IEH2BhidRyEpX/Dwz/YiRZf5aTziMwVL8AYiINTC3IlP4Ka93p464SDZPgl+82t+k4snS
NunaxBjS35p1w+F/KGN7Kz+aOENmePvFM1HnK8CBu1c5tk4Nv+pDA9G0AN4abqxeENH9oCcxggL2
MIIC8gIBATBuMGIxHDAaBgNVBAMTE0FwcGxlIElTVCBDQSA1IC0gRzExIDAeBgNVBAsTF0NlcnRp
ZmljYXRpb24gQXV0aG9yaXR5MRMwEQYDVQQKEwpBcHBsZSBJbmMuMQswCQYDVQQGEwJVUwIIHy8S
fpFH5BAwCQYFKw4DAhoFAKCCAV0wGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0B
CQUxDxcNMTcwODEwMTUxNjUwWjAjBgkqhkiG9w0BCQQxFgQU3YVLcfngo5ND77jAQrKD+D9Swwcw
fQYJKwYBBAGCNxAEMXAwbjBiMRwwGgYDVQQDExNBcHBsZSBJU1QgQ0EgNSAtIEcxMSAwHgYDVQQL
ExdDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTETMBEGA1UEChMKQXBwbGUgSW5jLjELMAkGA1UEBhMC
VVMCCB8vEn6RR+QQMH8GCyqGSIb3DQEJEAILMXCgbjBiMRwwGgYDVQQDExNBcHBsZSBJU1QgQ0Eg
NSAtIEcxMSAwHgYDVQQLExdDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTETMBEGA1UEChMKQXBwbGUg
SW5jLjELMAkGA1UEBhMCVVMCCB8vEn6RR+QQMA0GCSqGSIb3DQEBAQUABIIBAHn5a88UM0/1iXT1
73V6ut0vOw3LR/09sMKK3ijLnmyE8LEbLJh6aUVBF7LfUN0kfz2Ga3UosL4irJ7zBC7cvVUJMRJR
twSlHJ1lienJ5akQGUF/qYjqdQMUIt0uAAo28r6IjpUAenyNAGX0naggajxzBpYPvIacm4Nll1gi
Ln87oiFgdi8alkxp2ainRL0UXsCsSox5hTCTQCN8Io8Nhi2o/mUtjoTV8Uu0tLmv83xFDwcVC6eq
LoaaHX6F4qwdiSgBbs9yx3Q6iq3E6eywPNKyPa6vR6HUizO7LNAje3qPPkCe6a67tRwi4iR+R3cQ
579Q0e8jF7BhFPXYHwTRrEgAAAAAAAA=
--Apple-Mail=_10919F93-6C21-449B-8DA9-B4A465541601--
--===============8703579471561267405==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
--===============8703579471561267405==--
