Stateless PKINIT?
Ken Hornstein
kenh at cmf.nrl.navy.mil
Thu Mar 14 15:27:45 EDT 2024
>Is there a way when using PKINIT to not need any internal list of
>principals but to rely on the validity of the certificate to proxy the
>certificate identity into the Kerberos ticket?
I know what all of those words are, but I'm unclear what they mean all
together. I think you mean _this_ step:
>— the KDC need to issue the needed TGT then TGS based on the identity
>in the certificate if CRL is OK
To get a TGT issued you need to send an AS-REQ, that's going to have
a client principal in it, so normally that's already done. However,
you are allowed to set the canonicalization flag as part of the AS-REQ
message and the KDC can change the client principal.
Note: this is where we reach the limits of my experience, so other may
correct me on the following points. Also, I'm limiting my speaking to
the MIT Kerberos implementation.
It looks like there is some code in the MIT KDC to perform such
a lookup; the database plugin API contains a function called
krb5_db_get_s4u_x509_principal(), which takes a client certificate. But
neither of the current database implementations (db2 or LDAP) use that
plugin API today. Note that third-party code may already exist that
uses that API, but I am unfamiliar with it.
It looks like if you go that route you have to add that certificate
to the client request outside of PKINIT. In either case I do not
believe you can actually just stick the SPNEGO API as that PKINIT
would require initial ticket acquisition.
It feels like a large number of the pieces are there, but I am not
sure it's going to be turnkey.
--Ken
More information about the Kerberos
mailing list