URL: https://github.com/freeipa/freeipa/pull/62
Title: #62: Configure Anonymous PKINIT on server install

abbra commented:
Thanks @simo5. Except SELinux changes this PR is ready to be accepted.
TODO as separate pull requests:

* SELinux policy needs to be updated to allow certmonger to write to 
    allow certmonger_t krb5kdc_conf_t:dir { add_name write }
    allow certmonger_t krb5kdc_conf_t:file create;

* For CA-less setup we need to add `ipa-pkinit-manage` to allow adding 
externally provided PKCS#12 package with KDC certificate after the installation

Also, to document the decisions we made when moving forward with this PR, 
anonymous PKINIT principal is created in all configurations. Its use for 
non-PKINIT case will be detailed in the privilege separation patchset:
 * for embedded CA, Anonymous PKINIT is used for password/2FA login FAST 
 * If Anonymous PKINIT does not work (CA-less or external CA case with not 
configured PKINIT), Kerberos keytab with Anonymous principal will be used for 
FAST wrapping
 * Finally, if both of these cases don't work, privilege separation will 
degrade 2FA logon.

This allows us to fully utilize Anonymous Kerberos principal potential.


See the full comment at 
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to