Anonymous PKINIT works fine but requires certs to be distributed. Unless you're prepared to update every machine in the world every year, you pretty much have to use a cert that goes back to a commercial CA. But in that case you probably have to use the obscurely documented
pkinit_eku_checking = kpServerAuth pkinit_kdc_hostname = kdc1.x.y pkinit_kdc_hostname = kdc2.x.y I can understand that a newcomer would find OTP pretty much impossible to set up in practice. Furthermore, your applications have to be written for it. They can't use the normal krb5 API calls for getting a credential from a password. I actually wrote a LD_PRELOAD wrapper to make a normal application work. ________________________________ From: Kerberos <[email protected]> on behalf of Russ Allbery <[email protected]> Sent: Wednesday, April 26, 2023 2:57 PM To: Ken Hornstein via Kerberos <[email protected]> Cc: Ken Hornstein <[email protected]> Subject: Re: help with OTP Ken Hornstein via Kerberos <[email protected]> writes: > Well, dang, that's one for the toolbox! I was able to confirm that > works just fine (but note I already had an existing PKINIT > infrastructure to leverage). I will note that the existing > documentation implies you could authenticate to WELLKNOWN/ANONYMOUS > using your password, but maybe that isn't true? I'm specifically > referring to the documentation for the '-n' option for kinit, the > "second form" of anonymous tickets. There is a note that this isn't > supported, but it mentions MIT Kerberos 1.8 so one could believe that > note is out of date. > This is kind of the giant mystery surrounding FAST. If you're not > familiar with the gory details of the FAST protocol you're kind of left > stumbling around to figure out what exactly you need to do. I realize > this is probably because it's hard to write documentation for beginners > (certainly I am guilty of this also); I'm only making this as a general > observation. I worked through a bunch of this for pam-krb5 back in the day and made it support a set of reasonable things, including anonymous PKINIT to establish the FAST armor. People who are working in this area may find its source code useful to look at, although I think there have been improvements since then and what it does may no longer be best practice. https://github.com/rra/pam-krb5/blob/main/module/fast.c -- Russ Allbery ([email protected]) <https://www.eyrie.org/~eagle/> ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
