Stateless PKINIT?
Greg Hudson
ghudson at mit.edu
Fri Mar 15 12:17:44 EDT 2024
On 3/15/24 06:15, Yoann Gini wrote:
> Informations about the principal (name and everything) could be
> extracted from the certificate. Principal and certificate contains the
> same informations.
To issue a ticket, the KDC doesn't need to know directory-type
information such as real names, but it does need to know
Kerberos-specific policy information like "how long can the ticket
expiration time be". That information could presumably be standardized
across clients, which is why I suggested a template principal.
> Other option I wonder is using the LDAP backend to answer dynamic
> content (we have an LDAP gateway in our codebase, so we can use it as a
> backend API between MIT Kerberos and our identity store).
>
> Doing so the main issue would be to know what Kerberos need to write, to
> handle it.
The KDC does not need to write to the KDB, although it will attempt to
do writes to maintain account lockout state (which is irrelevant to the
configuration at hand). Attempts to write can be disabled via the
settings documented here:
https://web.mit.edu/kerberos/krb5-latest/doc/admin/lockout.html#disable-lockout
When synthesizing a client principal entry (or creating a template), be
sure to include the KRB5_KDB_REQUIRES_PRE_AUTH and KRB5_KDB_DISALLOW_SVR
principal flags.
More information about the Kerberos
mailing list