On ma, 12 joulu 2016, Alexander Bokovoy wrote:
On ma, 12 joulu 2016, Christian Heimes wrote:
On 2016-12-12 09:54, Alexander Bokovoy wrote:
On ma, 12 joulu 2016, Christian Heimes wrote:
Hi Simo,

I'm wondering if we need to change kdcproxy for anon pkinit. What kind
of Kerberos requests are performed by anon pkinit and to establish a
FAST tunnel? python-kdcproxy allows only request types AS-REQ, TGS-REQ
and AP-REQ+KRB-PRV. Responses are not filtered.
Anonymous principal as configured in FreeIPA can only be used to obtain
a TGT, nothing else.

See https://tools.ietf.org/html/rfc6112 for a spec definition.

That doesn't answer my question for me. Or does 'only TGT' imply that
request types are limited to AS-REQ and TGS-REQ? RFC 6112 just talks
about the two request types.
You can only obtain a TGT and this TGT can only be used for FAST
channel. You cannot obtain any service ticket with this TGT.
To close the loop, no changes in kdcproxy are needed because PKINIT is a
pre-authentication scheme and it works just fine with kdcproxy as it is.
I just tested this.
--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to