How to turn off checking the Domain Controller’s cert from being validated? (pkinit)
Robert
fuzzyhypothesis at yahoo.com
Thu Sep 30 11:12:09 EDT 2010
Hi,
I wanted to know if there is a way I can stub out in the code so I do not check
the domain controller/realm’s server certificate when using smartcards thru
pkinit plugin (via PAM/pamkrb) and MIT Kerberos 1.8.3?
My problem is the DC is an MS box that I have no control over and has a tendency
to change its signed cert a lot. Why? long story, but its not because of
security concerns, more of a “tinkering” one. Well each time that changes, my
client systems start failing for preauth error since it can’t verify the
certificate (I need to install a new root to all the systems etc etc).
So…I wanted to know if there is a way to turn this off via krb.conf or some
other method. Or if someone could point me to the correct check in the code for
this that I can stub out. I have been digging down into the pkinit plugin, in
particular the pkinit_clnt.c/pkinit_client_process(), but haven’t seen anything
that strikes me as a “validate_controller_cert_here()” like function. The check
seems to happen on receiving an AS-REP with a cert attached.
I know this is not a recommended practice to remove this check, but it’s what I
have to deal with. Any help would be appreciated.
FuzzyH
More information about the Kerberos
mailing list