[38147] in Kerberos
Re: set_string/pkinit_cert_match
daemon@ATHENA.MIT.EDU (Pallissard, Matthew)
Thu Dec 28 18:59:04 2017
Date: Thu, 28 Dec 2017 14:54:58 -0800
From: "Pallissard, Matthew" <kerberos@pallissard.net>
To: Greg Hudson <ghudson@mit.edu>
Message-ID: <20171228225422.xvxuumbso7la5yb7@laptop.ihme.uw.edu>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <ddc50af9-c670-0e7b-2ef1-1a7fd48f009f@mit.edu>
Cc: "Pallissard, Matthew" <kerberos@pallissard.net>, kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Thu, Dec 28, 2017 at 02:56:00PM -0500, Greg Hudson wrote:
> On 12/28/2017 02:05 PM, Pallissard, Matthew wrote:
> > I'm having issues when trying to use set_string with pkinit_cert_match. PKINIT does work when the SAN matches the user's principal explicitly. It does not work when I try to map it to a user where the principal does not match the SAN.
>
> The intended use case for pkinit_cert_match is client certificates which
> weren't issued for use with PKINIT at all, and therefore have no
> id-pkinit-san values. If there is an id-pkinit-san value, the KDC
> requires it to match the requested client principal. Currently, the
> only way to allow this is to disable the pkinit_san module:
>
> [plugins]
> certauth = {
> disable = pkinit_san
> }
That did the trick.
>
> You would then have to specify a pkinit_cert_match string for every
> principal, as SAN matching would be turned off entirely.
>
> If enough people have the use case where they want certificates with
> mismatched id-pkinit-san values to be accepted based on matching
> strings, we could provide a more convenient configuration hook for it.
> I had (perhaps naively) assumed that if people were going to the trouble
> of issuing client certs with id-pkinit-san values, they could include
> values for all of the desired client principal names.
Having a more convenient hook would work great at orgs where many folks have multiple principals for privilege separation and no control over the certs. I'd +1 for pkinit_cert_match being able to function when a SAN exists. It'd be nice to only map principals that need it while leaving those that don't alone. That being said I can work around it. Thanks a lot!
Matt Pallissard
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
