help with OTP
Ken Hornstein
kenh at cmf.nrl.navy.mil
Wed Apr 26 13:08:41 EDT 2023
>The docs that I referenced still made it seem that the anchor config
>was somewhat optional for anonymous auth.
>
>..but maybe I wasn't reading those lines with the proper mindset or context.
Looking at that, I can see why you would come to that conclusion. It
was obvious to ME that you needed to configure the client to trust the
KDC's certificate but I had the benefit of literal years of experience
with PKINIT. Unfortunately, there's kind of a "missing middle" in terms
of Kerberos documentation; there are some good high level overviews,
a LOT of stuff that is documented down the wire protocol and API level,
but in terms of practical integration it's kind of harsh to a newcomer
because it is written by people who already know all of this. I am not
faulting MIT for this, as this is true with the documentation for
a LOT of very technical things. It's a lot of effort to write the
sort of thing that would be useful for this kind of situation. The
information is all out there but it's kind of scattered in a bunch
of different places and it takes a lot of effort to put it all together.
--Ken
More information about the Kerberos
mailing list