Re: [Freeipa-devel] [PATCHES] add (initial) anonymous pkinit support
On Tue, 9 Nov 2010 15:12:25 -0500 Simo Sorce sso...@redhat.com wrote: On Mon, 8 Nov 2010 19:34:12 -0500 Simo Sorce sso...@redhat.com wrote: Patch 0004: Add basic certification creation for selfsigned CA and KDC configuration. opnessl had to be used because the NSS tools cannot deal with the special subjectaltName needed for the KDC certificate. Rebased this one on top of master (there was a conflict after latest pushes). Simo. This is a rebase of all the patches in this thread on top of current master. -- Simo Sorce * Red Hat, Inc * New York From b70eca77b31c4f6e5c7b2fce93f6badca230838c Mon Sep 17 00:00:00 2001 From: Simo Sorce sso...@redhat.com Date: Mon, 1 Nov 2010 13:51:14 -0400 Subject: [PATCH 01/12] Use Realm as certs subject base name Also use the realm name as nickname for the CA certificate --- install/tools/ipa-replica-install |2 +- install/tools/ipa-replica-prepare |6 +++--- install/tools/ipa-server-certinstall |2 +- install/tools/ipa-server-install | 14 -- install/tools/man/ipa-server-install.1|2 +- ipa-client/ipa-install/ipa-client-install |4 ++-- ipapython/certdb.py |4 +++- ipaserver/install/cainstance.py | 16 ++-- ipaserver/install/certs.py| 15 ++- ipaserver/install/dsinstance.py |8 ipaserver/install/httpinstance.py | 14 +++--- ipaserver/plugins/selfsign.py |5 +++-- 12 files changed, 53 insertions(+), 39 deletions(-) diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install index e4aae4aa3c34e283b3da71c8fcd3193ab901ca83..2beadae812dbe87927855dab42e2a44802e38a02 100755 --- a/install/tools/ipa-replica-install +++ b/install/tools/ipa-replica-install @@ -48,7 +48,7 @@ class ReplicaConfig: self.host_name = self.repl_password = self.dir = -self.subject_base = O=IPA +self.subject_base = def parse_options(): usage = %prog [options] REPLICA_FILE diff --git a/install/tools/ipa-replica-prepare b/install/tools/ipa-replica-prepare index 6e9d649ae6146c850ce6780efa7cccbe1f6100f4..059b011f9f60128ceba171cf5129e8c769e1eaf3 100755 --- a/install/tools/ipa-replica-prepare +++ b/install/tools/ipa-replica-prepare @@ -103,14 +103,14 @@ def export_certdb(realm_name, ds_dir, dir, passwd_fname, fname, hostname, subjec try: self_signed = certs.ipa_self_signed() -db = certs.CertDB(dir, subject_base=subject_base) +db = certs.CertDB(dir, realm_name, subject_base=subject_base) db.create_passwd_file() #if self_signed: #ca_db = certs.CertDB(dsinstance.config_dirname(dsinstance.realm_to_serverid(realm_name))) #db.create_from_cacert(ca_db.cacert_fname) #else: #ca_db = certs.CertDB(httpinstance.NSS_DIR, host_name=api.env.host) -ca_db = certs.CertDB(httpinstance.NSS_DIR, host_name=api.env.host, subject_base=subject_base) +ca_db = certs.CertDB(httpinstance.NSS_DIR, realm_name, host_name=api.env.host, subject_base=subject_base) db.create_from_cacert(ca_db.cacert_fname) db.create_server_cert(Server-Cert, hostname, ca_db) except Exception, e: @@ -148,7 +148,7 @@ def export_ra_pkcs12(dir, dm_password): try: try: -db = certs.CertDB(httpinstance.NSS_DIR, host_name=api.env.host) +db = certs.CertDB(httpinstance.NSS_DIR, api.env.realm, host_name=api.env.host) if db.has_nickname(ipaCert): pkcs12_fname = %s/ra.p12 % dir diff --git a/install/tools/ipa-server-certinstall b/install/tools/ipa-server-certinstall index d853f71889e42d5f9570d153c2b978ef9965..9d69853e51308234cb3330b18e9d5665de62f5ca 100755 --- a/install/tools/ipa-server-certinstall +++ b/install/tools/ipa-server-certinstall @@ -89,7 +89,7 @@ def choose_server_cert(server_certs): return server_certs[num - 1] def import_cert(dirname, pkcs12_fname, pkcs12_passwd, db_password): -cdb = certs.CertDB(dirname) +cdb = certs.CertDB(dirname, api.env.realm) cdb.create_passwd_file(db_password) cdb.create_certdbs() [pw_fd, pw_name] = tempfile.mkstemp() diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index c8a17c99d8eee92759d309874e7159095e1d5ca7..569079d5a60cd3b0af09965c952c05fdaca0a1b4 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -122,8 +122,8 @@ def parse_options(): help=The starting uid value (default random)) parser.add_option(--gidstart, dest=gidstart, default=namespace, type=int, help=The starting gid value (default random)) -parser.add_option(--subject, dest=subject, default=O=IPA, - help=The certificate subject base (default O=IPA)) +parser.add_option(--subject, dest=subject, +
Re: [Freeipa-devel] [PATCHES] add (initial) anonymous pkinit support
On Thu, 18 Nov 2010 12:27:57 -0500 Rob Crittenden rcrit...@redhat.com wrote: Simo Sorce wrote: On Tue, 9 Nov 2010 15:12:25 -0500 Simo Sorcesso...@redhat.com wrote: On Mon, 8 Nov 2010 19:34:12 -0500 Simo Sorcesso...@redhat.com wrote: Patch 0004: Add basic certification creation for selfsigned CA and KDC configuration. opnessl had to be used because the NSS tools cannot deal with the special subjectaltName needed for the KDC certificate. Rebased this one on top of master (there was a conflict after latest pushes). Simo. This is a rebase of all the patches in this thread on top of current master. acks all around Pushed all to master. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] add (initial) anonymous pkinit support
On Mon, 8 Nov 2010 19:34:12 -0500 Simo Sorce sso...@redhat.com wrote: This set of patches implement the first part of ticket #55 The patchset only adds the ability to install pkinit with the selfsigned CA (or with externally provided certs). If you need to use/test dogtag you can pass the --no-pkinit option for the time being as etting up pkinit is performed by default. Patch 0003: change the install tools to use a subject base based on the realm name and not O=IPA for all installs. I realized this patch ^^ should probably have been posted separately, although it is a dependency for all others. It fixes #427 Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] add (initial) anonymous pkinit support
On Mon, 8 Nov 2010 19:34:12 -0500 Simo Sorce sso...@redhat.com wrote: Patch 0004: Add basic certification creation for selfsigned CA and KDC configuration. opnessl had to be used because the NSS tools cannot deal with the special subjectaltName needed for the KDC certificate. Rebased this one on top of master (there was a conflict after latest pushes). Simo. -- Simo Sorce * Red Hat, Inc * New York From d3ab2c9a543a431a0c3accc160e96a41ce143bd0 Mon Sep 17 00:00:00 2001 From: Simo Sorce sso...@redhat.com Date: Fri, 29 Oct 2010 16:23:21 -0400 Subject: [PATCH] Add support for configuring KDC certs for PKINIT This patch adds support only for the selfsign case. Replica support is also still missing at this stage. --- install/share/Makefile.am |2 + install/share/kdc.conf.template |2 + install/share/kdc_extensions.template | 32 install/share/kdc_req.conf.template | 14 + install/tools/ipa-server-install | 36 +- ipaserver/install/certs.py| 88 +++-- ipaserver/install/krbinstance.py | 46 +- 7 files changed, 214 insertions(+), 6 deletions(-) create mode 100644 install/share/kdc_extensions.template create mode 100644 install/share/kdc_req.conf.template diff --git a/install/share/Makefile.am b/install/share/Makefile.am index e4b6ca385529e118a1a486eb8687b19e78f5f133..3423ce2874021e3380832c190ff10848d2e2c216 100644 --- a/install/share/Makefile.am +++ b/install/share/Makefile.am @@ -24,6 +24,8 @@ app_DATA =\ bind.zone.db.template \ certmap.conf.template \ kdc.conf.template \ + kdc_extensions.template \ + kdc_req.conf.template \ krb5.conf.template \ krb5.ini.template \ krb.con.template \ diff --git a/install/share/kdc.conf.template b/install/share/kdc.conf.template index 4a2cca412c7a5a1b8a45f6d114ec844aa02822ea..f8e07c77bdbffe3d73baf016aae1b9733adb7390 100644 --- a/install/share/kdc.conf.template +++ b/install/share/kdc.conf.template @@ -12,4 +12,6 @@ dict_file = /usr/share/dict/words default_principal_flags = +preauth ; admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab + pkinit_identity = FILE:/var/kerberos/krb5kdc/kdc.pem + pkinit_anchors = FILE:/var/kerberos/krb5kdc/cacert.pem } diff --git a/install/share/kdc_extensions.template b/install/share/kdc_extensions.template new file mode 100644 index ..df992babd406b0f7cffbfca1539d38a862b29f8c --- /dev/null +++ b/install/share/kdc_extensions.template @@ -0,0 +1,32 @@ +[ kdc_cert ] +basicConstraints=CA:FALSE + +# Here are some examples of the usage of nsCertType. If it is omitted +keyUsage = nonRepudiation, digitalSignature, keyEncipherment, keyAgreement + +#Pkinit EKU +extendedKeyUsage = 1.3.6.1.5.2.3.5 + +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer + +# Copy subject details + +issuerAltName=issuer:copy + +# Add id-pkinit-san (pkinit subjectAlternativeName) +# Also add the KDC fqdn, for good measure. +subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:kdc_princ_name,DNS:${ENV::HOST_FQDN} + +[kdc_princ_name] +realm = EXP:0, GeneralString:${ENV::REALM} +principal_name = EXP:1, SEQUENCE:kdc_principal_seq + +[kdc_principal_seq] +name_type = EXP:0, INTEGER:1 +name_string = EXP:1, SEQUENCE:kdc_principals + +[kdc_principals] +princ1 = GeneralString:krbtgt +princ2 = GeneralString:${ENV::REALM} + diff --git a/install/share/kdc_req.conf.template b/install/share/kdc_req.conf.template new file mode 100644 index ..872852079c09584d3db41d63788d95630029aab2 --- /dev/null +++ b/install/share/kdc_req.conf.template @@ -0,0 +1,14 @@ +[ req ] +default_bits = 2048 +distinguished_name = req_distinguished_name +attributes = req_attributes +prompt = no +output_password= $PASSWORD + +[ req_distinguished_name ] +$SUBJBASE +$CERTNAME + +[ req_attributes ] +challengePassword = A challenge password + diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index b58675fb2dc7e938186e0da4e85e994d36e8fa57..464ebe640c5f78b5b4e93c7ac9dc4bc20171fbd3 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -106,14 +106,20 @@ def parse_options(): default=False, help=uninstall an existing installation) parser.add_option(-N, --no-ntp, dest=conf_ntp, action=store_false, help=do not configure ntp, default=True) +parser.add_option(--no-pkinit, dest=setup_pkinit, action=store_false, + default=True, help=disables pkinit setup steps) parser.add_option(--dirsrv_pkcs12, dest=dirsrv_pkcs12, help=PKCS#12 file containing the Directory Server SSL certificate) parser.add_option(--http_pkcs12, dest=http_pkcs12, help=PKCS#12 file containing the Apache Server SSL certificate) +parser.add_option(--pkinit_pkcs12, dest=pkinit_pkcs12, +
[Freeipa-devel] [PATCHES] add (initial) anonymous pkinit support
This set of patches implement the first part of ticket #55 The patchset only adds the ability to install pkinit with the selfsigned CA (or with externally provided certs). If you need to use/test dogtag you can pass the --no-pkinit option for the time being as etting up pkinit is performed by default. Patch 0003: change the install tools to use a subject base based on the realm name and not O=IPA for all installs. Patch 0004: Add basic certification creation for selfsigned CA and KDC configuration. opnessl had to be used because the NSS tools cannot deal with the special subjectaltName needed for the KDC certificate. Patch 0005: Always set pkinit_anchors so that all clients are preconfigured to do anonymous pkinit including master. Even if the client does not support pkinit adding the option does not cause any harm so it is a safe default. Patch 0006: Add the wellknown principal need to perform anonymous pkinit AS requests. This principal is *DISABLED* by default. Patch 0007: Ad a new plugin that allows to enable the wellknown account, effectively allowing to get pkinit anonymous tickets. (as a bonus implements disable too :) Patch 0008: Add support for configuring pkinit certs on replicas too. What is still missing is dogtag integration and certmonger tracking. Couldn't work on the dogtag part yet because it won't work on f14 which is the only fedora version that has a kerberos version recent enough to support asking for anonynoums pkinit tickets. Certmonger will need some thinking too as the KDC ticket requires a different code path to be renewd (different commands in selfsign CA and different profile with dogtag). Simo. -- Simo Sorce * Red Hat, Inc * New York From 9787b05a29eb7f0c80b60bf47d8d5acf213ceb8b Mon Sep 17 00:00:00 2001 From: Simo Sorce sso...@redhat.com Date: Mon, 1 Nov 2010 13:51:14 -0400 Subject: [PATCH 1/6] Use Realm as certs subject base name Also use the realm name as nickname for the CA certificate --- install/tools/ipa-replica-install |2 +- install/tools/ipa-replica-prepare |6 +++--- install/tools/ipa-server-certinstall |2 +- install/tools/ipa-server-install | 14 -- install/tools/man/ipa-server-install.1|2 +- ipa-client/ipa-install/ipa-client-install |4 ++-- ipapython/certdb.py |4 +++- ipaserver/install/cainstance.py | 16 ++-- ipaserver/install/certs.py| 15 ++- ipaserver/install/dsinstance.py |8 ipaserver/install/httpinstance.py | 14 +++--- ipaserver/plugins/selfsign.py |5 +++-- 12 files changed, 53 insertions(+), 39 deletions(-) diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install index e54101202553395fab2515a4c67e1e5f0424b0ab..8cf8d84597588f86110958bc95ff4ad9015709da 100755 --- a/install/tools/ipa-replica-install +++ b/install/tools/ipa-replica-install @@ -47,7 +47,7 @@ class ReplicaConfig: self.host_name = self.repl_password = self.dir = -self.subject_base = O=IPA +self.subject_base = def parse_options(): from optparse import OptionParser diff --git a/install/tools/ipa-replica-prepare b/install/tools/ipa-replica-prepare index 6e9d649ae6146c850ce6780efa7cccbe1f6100f4..059b011f9f60128ceba171cf5129e8c769e1eaf3 100755 --- a/install/tools/ipa-replica-prepare +++ b/install/tools/ipa-replica-prepare @@ -103,14 +103,14 @@ def export_certdb(realm_name, ds_dir, dir, passwd_fname, fname, hostname, subjec try: self_signed = certs.ipa_self_signed() -db = certs.CertDB(dir, subject_base=subject_base) +db = certs.CertDB(dir, realm_name, subject_base=subject_base) db.create_passwd_file() #if self_signed: #ca_db = certs.CertDB(dsinstance.config_dirname(dsinstance.realm_to_serverid(realm_name))) #db.create_from_cacert(ca_db.cacert_fname) #else: #ca_db = certs.CertDB(httpinstance.NSS_DIR, host_name=api.env.host) -ca_db = certs.CertDB(httpinstance.NSS_DIR, host_name=api.env.host, subject_base=subject_base) +ca_db = certs.CertDB(httpinstance.NSS_DIR, realm_name, host_name=api.env.host, subject_base=subject_base) db.create_from_cacert(ca_db.cacert_fname) db.create_server_cert(Server-Cert, hostname, ca_db) except Exception, e: @@ -148,7 +148,7 @@ def export_ra_pkcs12(dir, dm_password): try: try: -db = certs.CertDB(httpinstance.NSS_DIR, host_name=api.env.host) +db = certs.CertDB(httpinstance.NSS_DIR, api.env.realm, host_name=api.env.host) if db.has_nickname(ipaCert): pkcs12_fname = %s/ra.p12 % dir diff --git a/install/tools/ipa-server-certinstall b/install/tools/ipa-server-certinstall index d853f71889e42d5f9570d153c2b978ef9965..9d69853e51308234cb3330b18e9d5665de62f5ca 100755 ---