Stateless PKINIT?

Greg Hudson ghudson at mit.edu
Fri Mar 15 12:17:44 EDT 2024


On 3/15/24 06:15, Yoann Gini wrote:
> Informations about the principal (name and everything) could be 
> extracted from the certificate. Principal and certificate contains the 
> same informations.

To issue a ticket, the KDC doesn't need to know directory-type 
information such as real names, but it does need to know 
Kerberos-specific policy information like "how long can the ticket 
expiration time be".  That information could presumably be standardized 
across clients, which is why I suggested a template principal.

> Other option I wonder is using the LDAP backend to answer dynamic 
> content (we have an LDAP gateway in our codebase, so we can use it as a 
> backend API between MIT Kerberos and our identity store).
> 
> Doing so the main issue would be to know what Kerberos need to write, to 
> handle it.

The KDC does not need to write to the KDB, although it will attempt to 
do writes to maintain account lockout state (which is irrelevant to the 
configuration at hand).  Attempts to write can be disabled via the 
settings documented here:

https://web.mit.edu/kerberos/krb5-latest/doc/admin/lockout.html#disable-lockout

When synthesizing a client principal entry (or creating a template), be 
sure to include the KRB5_KDB_REQUIRES_PRE_AUTH and KRB5_KDB_DISALLOW_SVR 
principal flags.


More information about the Kerberos mailing list