Stateless PKINIT?
Yoann Gini
yoann.gini at gmail.com
Fri Mar 15 12:19:08 EDT 2024
> Le 15 mars 2024 à 17:17, Greg Hudson <ghudson at mit.edu> a écrit :
>
> On 3/15/24 06:15, Yoann Gini wrote:
>> Informations about the principal (name and everything) could be extracted from the certificate. Principal and certificate contains the same informations.
>
> To issue a ticket, the KDC doesn't need to know directory-type information such as real names, but it does need to know Kerberos-specific policy information like "how long can the ticket expiration time be". That information could presumably be standardized across clients, which is why I suggested a template principal.
Understood!
That's and interesting lead here.
>> Other option I wonder is using the LDAP backend to answer dynamic content (we have an LDAP gateway in our codebase, so we can use it as a backend API between MIT Kerberos and our identity store).
>> Doing so the main issue would be to know what Kerberos need to write, to handle it.
>
> The KDC does not need to write to the KDB, although it will attempt to do writes to maintain account lockout state (which is irrelevant to the configuration at hand). Attempts to write can be disabled via the settings documented here:
>
> https://web.mit.edu/kerberos/krb5-latest/doc/admin/lockout.html#disable-lockout
>
> When synthesizing a client principal entry (or creating a template), be sure to include the KRB5_KDB_REQUIRES_PRE_AUTH and KRB5_KDB_DISALLOW_SVR principal flags.
OK, thanks!
More information about the Kerberos
mailing list