[39389] in Kerberos
Re: Stateless PKINIT?
daemon@ATHENA.MIT.EDU (Yoann Gini)
Fri Mar 15 12:20:32 2024
From: Yoann Gini <yoann.gini@gmail.com>
Message-Id: <A7CBD0B5-3F4A-4A3B-AE48-FBA06C320B80@gmail.com>
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3774.500.171.1.1\))
Date: Fri, 15 Mar 2024 17:19:08 +0100
In-Reply-To: <faf7c1cd-c87c-42c4-a300-83bf177d55fc@mit.edu>
Cc: Ken Hornstein <kenh@cmf.nrl.navy.mil>, kerberos@mit.edu
To: Greg Hudson <ghudson@mit.edu>
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
> Le 15 mars 2024 à 17:17, Greg Hudson <ghudson@mit.edu> a écrit :
>
> On 3/15/24 06:15, Yoann Gini wrote:
>> Informations about the principal (name and everything) could be extracted from the certificate. Principal and certificate contains the same informations.
>
> To issue a ticket, the KDC doesn't need to know directory-type information such as real names, but it does need to know Kerberos-specific policy information like "how long can the ticket expiration time be". That information could presumably be standardized across clients, which is why I suggested a template principal.
Understood!
That's and interesting lead here.
>> Other option I wonder is using the LDAP backend to answer dynamic content (we have an LDAP gateway in our codebase, so we can use it as a backend API between MIT Kerberos and our identity store).
>> Doing so the main issue would be to know what Kerberos need to write, to handle it.
>
> The KDC does not need to write to the KDB, although it will attempt to do writes to maintain account lockout state (which is irrelevant to the configuration at hand). Attempts to write can be disabled via the settings documented here:
>
> https://web.mit.edu/kerberos/krb5-latest/doc/admin/lockout.html#disable-lockout
>
> When synthesizing a client principal entry (or creating a template), be sure to include the KRB5_KDB_REQUIRES_PRE_AUTH and KRB5_KDB_DISALLOW_SVR principal flags.
OK, thanks!
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
