set_string/pkinit_cert_match

[Pallissard, Matthew]

On Thu, Dec 28, 2017 at 02:56:00PM -0500, Greg Hudson wrote:
> On 12/28/2017 02:05 PM, Pallissard, Matthew wrote:
> > I'm having issues when trying to use set_string with pkinit_cert_match.   PKINIT does work when the SAN matches the user's principal explicitly.  It does not work when I try to map it to a user where the principal does not match the SAN.
> 
> The intended use case for pkinit_cert_match is client certificates which
> weren't issued for use with PKINIT at all, and therefore have no
> id-pkinit-san values.  If there is an id-pkinit-san value, the KDC
> requires it to match the requested client principal.  Currently, the
> only way to allow this is to disable the pkinit_san module:
> 
>   [plugins]
>     certauth = {
>       disable = pkinit_san
>     }

That did the trick.

> 
> You would then have to specify a pkinit_cert_match string for every
> principal, as SAN matching would be turned off entirely.
> 
> If enough people have the use case where they want certificates with
> mismatched id-pkinit-san values to be accepted based on matching
> strings, we could provide a more convenient configuration hook for it.

> I had (perhaps naively) assumed that if people were going to the trouble
> of issuing client certs with id-pkinit-san values, they could include
> values for all of the desired client principal names.


Having a more convenient hook would work great at orgs where many folks have multiple principals for privilege separation and no control over the certs.  I'd +1 for pkinit_cert_match being able to function when a SAN exists.  It'd be nice to only map principals that need it while leaving those that don't alone. That being said I can work around it. Thanks a lot!

Matt Pallissard