[37384] in Kerberos
Re: [EXTERNAL] Re: PKINIT on MacOSX Maverick and Yosemite
daemon@ATHENA.MIT.EDU (Machin, Glenn D)
Mon Jan 18 19:31:17 2016
From: "Machin, Glenn D" <GMachin@sandia.gov>
To: Greg Hudson <ghudson@mit.edu>, "kerberos@mit.edu" <kerberos@mit.edu>
Date: Tue, 19 Jan 2016 00:30:47 +0000
Message-ID: <D2C2CA0B.4AC9A%gmachin@sandia.gov>
In-Reply-To: <569D7A11.3080900@mit.edu>
Content-Language: en-US
Content-ID: <F4275C4B62DA6749B2A331A27BA5753F@sandia.gov>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
Thanks - it turns out the issue with MacOSX failing when --pk-use-enckey
is not used is associated with the minimum number of bits the KDC is
willing to accept for a clientšs Diffie-Hellman key. Apparently MacOSX
Heimdahl is set at 1024 and has no (at least that I can find) a krb5.conf
attribute like pkinit_dh_min_bits. The MIT KDC minimum is 2048 and even if
you set the kdc.conf pkinit_dh_min_bits to 1024 the source codešs minimum
is defined at 2048. I was hoping I could make a configuration change
rather than a code change but that does not look like its possible. So I
had to change krb5-1.10.3/src/plugins/preauth/pkinit/pkinit.h for
PKINIT_DEFAULT_DH_MIN_BITS to 1024 to make pkinit work on MacOSX.
If you know a better way please let me know.
Glenn
On 1/18/16, 4:49 PM, "Greg Hudson" <ghudson@mit.edu> wrote:
>On 01/18/2016 01:52 PM, Machin, Glenn D wrote:
>> PKINIT seems to only work using MacOSX kinit (/usr/bin/kinit) when the
>>argument "--pk-use-enckey" is also passed. There does not seem to be
>>a corresponding krb5.conf setting for this argument. Does anyone know
>>a MacOSX krb5.conf setting that will do the same thing as
>>--pk-use-enckey?
>
>By my reading of the OS X Heimdal code, there is no equivalent krb5.conf
>option.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
