[20566] in Kerberos_V5_Development
Re: trouble with pkinit
daemon@ATHENA.MIT.EDU (Nico Williams)
Sat Apr 18 02:35:46 2026
Date: Sat, 18 Apr 2026 01:35:30 -0500
From: Nico Williams <nico@cryptonector.com>
To: Alexander Bokovoy <abokovoy@redhat.com>
Message-ID: <aeMmMnZ/oMMFKU0q@ubby>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <aeMab2We2Hiyp2sh@redhat.com>
Cc: Ken Hornstein <kenh@cmf.nrl.navy.mil>, krbdev@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
On Sat, Apr 18, 2026 at 08:45:19AM +0300, Alexander Bokovoy wrote:
> We are doing somewhat similar with localkdc where user principals do not
> exist in the KDC database but our KDB driver looks them up through
> external sources (userdb interface systemd provides on top of NSS). You
> still need to resolve get_principal() request by the KDC to answer the
> questions which pre-auth mechanisms could be enabled for this principal.
The observation in Heimdal's synthetic principals feature is that if
there is a pre-auth mechanism that can externally identify and
authenticate the principal, and the principal record does not exist,
then we can synthesize without further ado. PKINIT can do that.
Encrypted challenges can't. So if the principal record doesn't exist
then we can synthesize one that allows PKINIT and not encrypted
challenges, which is what we do, but we don't do it for the purposes of
KRB-ERROR generation for pre-auth-less AS-REQs -- _that_ is the bug
biting Geoffrey.
Nico
--
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
