First draft of pkinit plugin code now in Subversion

Sam Hartman hartmans at MIT.EDU
Fri Nov 24 16:32:53 EST 2006


Thanks for the code.

I've confirmed that it does in fact work in the success case.  It was
relatively easy to build and the README did document enough of how to
get the code working.

The code seems to crash in the following cases:

1) A cert is used that is not authorized to gain access to the account
   in question.  For example if I use a hartmans cert to try and log
   into testprinc, it crashes the kdc.

2) If the CA directory is not hashed, the KDC cannot find the CA cert
   to use and crashes.

I'm concerned that the code uses a 1024-bit DH group and there seems
to be no way to change this.  Isn't 1024-bits somewhat weak?  I'm also
concerned that there seems to be no support for the supportedCMSTypes
field and that the use of CMS seems to hard code sha-1 rather than
making intelligent decisions about the appropriate hash to sign with.

However, this does look like a very good initial cut at things.

More information about the krbdev mailing list