set_string/pkinit_cert_match
Pallissard, Matthew
kerberos at pallissard.net
Thu Dec 28 17:54:58 EST 2017
On Thu, Dec 28, 2017 at 02:56:00PM -0500, Greg Hudson wrote:
> On 12/28/2017 02:05 PM, Pallissard, Matthew wrote:
> > I'm having issues when trying to use set_string with pkinit_cert_match. PKINIT does work when the SAN matches the user's principal explicitly. It does not work when I try to map it to a user where the principal does not match the SAN.
>
> The intended use case for pkinit_cert_match is client certificates which
> weren't issued for use with PKINIT at all, and therefore have no
> id-pkinit-san values. If there is an id-pkinit-san value, the KDC
> requires it to match the requested client principal. Currently, the
> only way to allow this is to disable the pkinit_san module:
>
> [plugins]
> certauth = {
> disable = pkinit_san
> }
That did the trick.
>
> You would then have to specify a pkinit_cert_match string for every
> principal, as SAN matching would be turned off entirely.
>
> If enough people have the use case where they want certificates with
> mismatched id-pkinit-san values to be accepted based on matching
> strings, we could provide a more convenient configuration hook for it.
> I had (perhaps naively) assumed that if people were going to the trouble
> of issuing client certs with id-pkinit-san values, they could include
> values for all of the desired client principal names.
Having a more convenient hook would work great at orgs where many folks have multiple principals for privilege separation and no control over the certs. I'd +1 for pkinit_cert_match being able to function when a SAN exists. It'd be nice to only map principals that need it while leaving those that don't alone. That being said I can work around it. Thanks a lot!
Matt Pallissard
More information about the Kerberos
mailing list