Advice on cross-realm PKINIT?

Nordgren, Bryce L -FS bnordgren at fs.fed.us
Mon Jun 9 20:36:56 EDT 2014


> -----Original Message-----
> The Kerberos protocol does not support cross-realm AS requests.  The
> definition of KDC-REQ-BODY in RFC 4120 section 5.4.1 contains only one realm
> (at the ASN.1 level, a PrincipalName does not include the realm) which is
> used for both the client and server principal.  So the requests in the second
> and third example is actually for a TGT in the EXTERNAL.ORG realm
> (presumably krbtgt/EXAMPLE.COM at EXTERNAL.ORG), which cannot be
> served from the EXAMPLE.COM KDC.

I think it's a bit harsh to claim cross-realm AS is not supported by the protocol. The native AS_REQ may not be able to specify different realms for the tgt and the client, but a PKINIT exchange has a certified client principal name/realm combination. It certainly seems to me that if the KDC has been configured to trust the CA binding principal name/realm to the public key, then the KDC should be justified in populating the cname/crealm fields in the reply using the certified information. Certainly, I see nothing in 4120 or 4556 which forbids this. I actually took the following to mean it was required in the absence of a configured "binding map" (p 15. RFC 4556):

Otherwise, if the client's X.509 certificate contains a Subject
      Alternative Name (SAN) extension carrying a KRB5PrincipalName
      (defined below) in the otherName field of the type GeneralName
      [RFC3280], it binds the client's X.509 certificate to that name.

However, accepting that it does not do it now, I retooled my experiment somewhat. I made a principal:

test/EXTERNAL.ORG at EXAMPLE.COM

in the example.com kdc (the only one I have). Then I signed the clientkey with

env CLIENT=test/EXTERNAL.ORG REALM=EXAMPLE.COM openssl x509 ...

And now "kinit test/EXTERNAL.ORG" results in a client name mismatch. (Also defined on p 15 of RFC 4556). The trace indicates that kinit is correctly seeking credentials for "test/EXTERNAL.ORG at EXAMPLE.COM". I cannot get openssl to display the extension fields. I have not yet discovered a way for tshark to display the pkinit preauth. However,  I triplechecked the signing command in my history against this principal. As far as I can tell, the principal in the KDC database, on the kinit command line, and in the certificate I'm using for PKINIT are all the same, and I'm still getting a client name mismatch. Does openssl not like slashes in environment variable expansions?

Thanks again for your help.

Bryce




This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately.



More information about the Kerberos mailing list