[EXTERNAL] Re: PKINIT on MacOSX Maverick and Yosemite

Machin, Glenn D GMachin at sandia.gov
Mon Jan 18 19:30:47 EST 2016


Thanks - it turns out the issue with MacOSX failing when --pk-use-enckey
is not used is associated with the minimum number of bits the KDC is
willing to accept for a client¹s Diffie-Hellman key. Apparently MacOSX
Heimdahl is set at 1024 and has no (at least that I can find) a krb5.conf
attribute like pkinit_dh_min_bits. The MIT KDC minimum is 2048 and even if
you set the kdc.conf pkinit_dh_min_bits to 1024 the source code¹s minimum
is defined at 2048.   I was hoping I could make a configuration change
rather than a code change but that does not look like its possible.   So I
had to change krb5-1.10.3/src/plugins/preauth/pkinit/pkinit.h for
PKINIT_DEFAULT_DH_MIN_BITS to 1024 to make pkinit work on MacOSX.

If you know a better way please let me know.


Glenn



On 1/18/16, 4:49 PM, "Greg Hudson" <ghudson at mit.edu> wrote:

>On 01/18/2016 01:52 PM, Machin, Glenn D wrote:
>> PKINIT  seems to only work using MacOSX kinit (/usr/bin/kinit) when the
>>argument "--pk-use-enckey" is also passed.    There does not seem to be
>>a corresponding krb5.conf setting for this argument.   Does anyone know
>>a MacOSX krb5.conf setting that will do the same thing as
>>--pk-use-enckey?
>
>By my reading of the OS X Heimdal code, there is no equivalent krb5.conf
>option.




More information about the Kerberos mailing list