On ma, 12 joulu 2016, Christian Heimes wrote:
On 2016-12-12 09:54, Alexander Bokovoy wrote:
On ma, 12 joulu 2016, Christian Heimes wrote:
Hi Simo,

I'm wondering if we need to change kdcproxy for anon pkinit. What kind
of Kerberos requests are performed by anon pkinit and to establish a
FAST tunnel? python-kdcproxy allows only request types AS-REQ, TGS-REQ
and AP-REQ+KRB-PRV. Responses are not filtered.
Anonymous principal as configured in FreeIPA can only be used to obtain
a TGT, nothing else.

See https://tools.ietf.org/html/rfc6112 for a spec definition.

That doesn't answer my question for me. Or does 'only TGT' imply that
request types are limited to AS-REQ and TGS-REQ? RFC 6112 just talks
about the two request types.
You can only obtain a TGT and this TGT can only be used for FAST
channel. You cannot obtain any service ticket with this TGT.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to