set_string/pkinit_cert_match
Greg Hudson
ghudson at mit.edu
Thu Dec 28 14:56:00 EST 2017
On 12/28/2017 02:05 PM, Pallissard, Matthew wrote:
> I'm having issues when trying to use set_string with pkinit_cert_match. PKINIT does work when the SAN matches the user's principal explicitly. It does not work when I try to map it to a user where the principal does not match the SAN.
The intended use case for pkinit_cert_match is client certificates which
weren't issued for use with PKINIT at all, and therefore have no
id-pkinit-san values. If there is an id-pkinit-san value, the KDC
requires it to match the requested client principal. Currently, the
only way to allow this is to disable the pkinit_san module:
[plugins]
certauth = {
disable = pkinit_san
}
You would then have to specify a pkinit_cert_match string for every
principal, as SAN matching would be turned off entirely.
If enough people have the use case where they want certificates with
mismatched id-pkinit-san values to be accepted based on matching
strings, we could provide a more convenient configuration hook for it.
I had (perhaps naively) assumed that if people were going to the trouble
of issuing client certs with id-pkinit-san values, they could include
values for all of the desired client principal names.
More information about the Kerberos
mailing list