krb5-1.12.1, pkinit, and openssl ca
Greg Hudson
ghudson at MIT.EDU
Mon Jun 9 11:57:56 EDT 2014
On 06/08/2014 06:35 PM, squidmobile at fastmail.fm wrote:
> pkinit_identity = DIR:/home/%{username}/.krb5.id
I think this is the source of your problems in two ways:
1. pkinit_identity is only for the KDC. pkinit_identities is for
clients. This is of course very confusing (the variables should have
been named with "kdc" and "client" substrings), and the documentation
should do more to highlight the difference.
2. pkinit_identity isn't processed through path token substitution.
This is largely a historical accident; PKINIT was introduced in 1.6,
while path substitution was introduced along with default_ccache_name in
1.11. The best you can do right now is specify pkinit_identities =
ENV:SOMEENVVARNAME, and then make each user's dotfiles set
SOMEENVVARNAME to DIR:/path/to/their/home/directory/.krb5.id.
I will file three issues about the confusing profile variable names,
lack of path substitution, and lack of a path substitution token for the
home directory.
> KRB5_TRACE=/dev/stdout kinit \
> -X X509_user_identity=DIR:/home/test/.krb5.id my/principal
[...]
> Jun 7 18:14:46 kdc krb5kdc[6158]: preauth (pkinit) verify failure:
> Client name mismatch
We need better logging for this situation; I will file a fourth issue
about that.
I went back over your earlier messages and didn't see a transcript of
how you created the client certificate, so I'm not sure what the misstep
was. (The instructions in the documentation do work.)
More information about the Kerberos
mailing list