How to turn off checking the Domain Controller’s cert from being validated? (pkinit)

Robert fuzzyhypothesis at yahoo.com
Thu Sep 30 11:12:09 EDT 2010


Hi,
 
I wanted to know if there is a way I can stub out in the code so I do not check 
the domain controller/realm’s server certificate when using smartcards thru 
pkinit plugin (via PAM/pamkrb) and MIT Kerberos 1.8.3?
 
My problem is the DC is an MS box that I have no control over and has a tendency 
to change its signed cert a lot.  Why? long story, but its not because of 
security concerns, more of a “tinkering” one.  Well each time that changes, my 
client systems start failing for preauth error since it can’t verify the 
certificate (I need to install a new root to all the systems etc etc).
 
So…I wanted to know if there is a way to turn this off via krb.conf or some 
other method.  Or if someone could point me to the correct check in the code for 
this that I can stub out.  I have been digging down into the pkinit plugin, in 
particular the pkinit_clnt.c/pkinit_client_process(), but haven’t seen anything 
that strikes me as a “validate_controller_cert_here()” like function.  The check 
seems to happen on receiving an AS-REP with a cert attached.
 
I know this is not a recommended practice to remove this check, but it’s what I 
have to deal with.  Any help would be appreciated.
 
FuzzyH


      


More information about the Kerberos mailing list