[krbdev.mit.edu #7149] Some important misconfigurations of the PKINIT plugin do not cause useful printout to KRB5_TRACE.
The RT System itself via RT
rt-comment at krbdev.mit.edu
Tue May 22 22:36:52 EDT 2012
>From krb5-bugs-incoming-bounces at PCH.mit.edu Tue May 22 22:36:52 2012
Return-Path: <krb5-bugs-incoming-bounces at PCH.mit.edu>
Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90])
by krbdev.mit.edu (Postfix) with ESMTP id 254423DE85;
Tue, 22 May 2012 22:36:52 -0400 (EDT)
Received: from pch.mit.edu (pch.mit.edu [127.0.0.1])
by pch.mit.edu (8.13.6/8.12.8) with ESMTP id q4N2apec026824;
Tue, 22 May 2012 22:36:51 -0400
Received: from mailhub-dmz-2.mit.edu (MAILHUB-DMZ-2.MIT.EDU [18.7.62.37])
by pch.mit.edu (8.13.6/8.12.8) with ESMTP id q4N1CTgm016207
for <krb5-bugs-incoming at PCH.mit.edu>; Tue, 22 May 2012 21:12:29 -0400
Received: from dmz-mailsec-scanner-8.mit.edu (DMZ-MAILSEC-SCANNER-8.MIT.EDU
[18.7.68.37])
by mailhub-dmz-2.mit.edu (8.13.8/8.9.2) with ESMTP id q4N1CNmQ018424
for <krb5-bugs at mit.edu>; Tue, 22 May 2012 21:12:29 -0400
X-AuditID: 12074425-b7f966d0000008b6-85-4fbc397cddaf
Authentication-Results: symauth.service.identifier
Received: from sl6hotz.jpl.nasa.gov (wildcard.jpl.nasa.gov [128.149.133.56])
by dmz-mailsec-scanner-8.mit.edu (Symantec Messaging Gateway) with SMTP
id 54.78.02230.C793CBF4; Tue, 22 May 2012 21:12:29 -0400 (EDT)
Received: by sl6hotz.jpl.nasa.gov (Postfix, from userid 1989)
id 478A22833F9; Tue, 22 May 2012 18:12:27 -0700 (PDT)
To: krb5-bugs at mit.edu
Subject: Insufficient Information Printed from the PKINIT Plugin
From: hotz at jpl.nasa.gov
X-send-pr-version: 3.99
Message-Id: <20120523011227.478A22833F9 at sl6hotz.jpl.nasa.gov>
Date: Tue, 22 May 2012 18:12:27 -0700 (PDT)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFjrIIsWRWlGSWpSXmKPExsXSMLXVQrfWco+/waNeJouGh8fZHRg9ms4c
ZQ5gjOKySUnNySxLLdK3S+DK2Nnew1hwgqNi30/pBsZJ7F2MnBwSAiYSO14dAbMZBYwkdp97
xQoRF5O4cG89WxcjF4eQwFVGiX1v3jGCJIQESiU271rKBmKLCIhKvPx7jAXEFhZwkLi5+gWY
zSYgLnGi7RsTRL20xOxNu8HqmQVYJP682cACsUBcYsf200CLOTh4BWwl3k1NBQmzCGhLnNrS
yzqBkXcBI8MqRtmU3Crd3MTMnOLUZN3i5MS8vNQiXQu93MwSvdSU0k2MQP8Lsbuo7mCccEjp
EKMAB6MSD2/h+d3+QqyJZcWVuYcYJTmYlER5fc32+AvxJeWnVGYkFmfEF5XmpBYfYpTgYFYS
4V0/HaicNyWxsiq1KB8mJc3BoiTOu04TKCWQnliSmp2aWpBaBJNl4mA/xCjDwaEkwbvcAmiy
YFFqempFWmZOCbIaThDBBbKGB2jNFpBC3uKCxNzizHSIolOMilLivLtAEgIgiYzSPLgBoJit
/////yVGWSlhXkYGBgYhHqALgB5HyINi/hWjONDTwryHQKbwZOaVwE1/BbSYCWhx0IudIItL
EhFSUg2MCgWNob9lVUsW35PPiXZ4cDNggfi6FbbyD98W9XQI/PzH33m5K5hjZ2H6YskpMa9W
3ZFyYG5bPT3cVZClnaVd6U2BqqDtj5yNvwty/CaejOeqeMz+0r799U2u3C8HeNbsX3n34K1P
rKseWTZPvfHG7QWbYLXE0UC1T2fSzZcosC2LXMVj7KanxFKckWioxVxUnAgAofmd2NQCAAA=
X-Mailman-Approved-At: Tue, 22 May 2012 22:36:49 -0400
X-BeenThere: krb5-bugs-incoming at mailman.mit.edu
X-Mailman-Version: 2.1.6
Precedence: list
Reply-To: hotz at jpl.nasa.gov
Sender: krb5-bugs-incoming-bounces at PCH.mit.edu
Errors-To: krb5-bugs-incoming-bounces at PCH.mit.edu
>Submitter-Id: net
>Originator: Henry B. Hotz
>Organization:
Jet Propulsion Laboratory
>Confidential: no
>Synopsis: Some important misconfigurations of the PKINIT plugin do not cause useful printout to KRB5_TRACE.
>Severity: non-critical
>Priority: medium
>Category: krb5-clients
>Class: support
>Release: 1.9
>Environment:
Intel VM, Scientific Linux 6.2, Scientific Linux 6.2, pkinit plugin
System: Linux sl6hotz.jpl.nasa.gov 2.6.32-220.13.1.el6.x86_64 #1 SMP Tue Apr 17 15:16:22 CDT 2012 x86_64 x86_64 x86_64 GNU/Linux
Architecture: x86_64
>Description:
Some errors printed by the pkiDebug() routine, such as "no anchors in file" suggest mistakes in the krb5.conf. They should be printed to KRB5_TRACE, since it may be difficult to debug a configuration without them. It would not be excessive, but might not be necessary, to make all pkiDebug() go to KRB5_TRACE.
>How-To-Repeat:
Varies. For the specific example just given set pkinit_anchors to a .der-formatted file instead of PEM.
>Fix:
The workaround used was to build with the DEBUG flag. Seems excessive.
More information about the krb5-bugs
mailing list