Comments on the use of plugins - useof pkinit_kdc_hostname

Douglas E. Engert deengert at
Mon Jun 18 17:11:03 EDT 2007

Sam Hartman wrote:
>>>>>> "Douglas" == Douglas E Engert <deengert at> writes:
>     Douglas> I think what I am asking for is a better way to handle
>     Douglas> the current Windows KDCs, until they support full RFC
>     Douglas> 4556.
> Right.
> And if we can figure out a secure way to map the KDC cert to a specific realm without configuration, I'm happy to do that.


> So far you have not shown that the mappings you propose are in fact
> secure.
> Keep in mind that MIT clients will likely have a larger CA set than
> some W2K deployments.

Yes. So the pkinit_eku_checking = W2k is per realm. The pkinit_anchors can also be set per realm.
So the same client could use a larger CA set for other none windows realms.

So if the KDC cert does not meet RFC 4556 and pkinit_eku_checking = w2k is set in the
krb5.conf [realm] section for the realm in question, the following must be true:

   KDC cert has extension with "DomainController"

   KDC cert has extension SAN DNS: hostname

   hostname matches the hostname of the expected KDC.

   hostname is processed via [domain_realm] mapping to get realm.

   Realm matches intended realm.

   The KDC cert is verified against the CA as listed in the pkinit_anchors
   for the realm.

This security is relying on the CA to only signing certs with the
"DomainController" for *real* domain controllers. The  SAN DNS: name would be the
name of the KDC. The [domain_realm] mapping would get the realm from any host
in the domain with a cert, but only a KDC would have "DomainController".

> _______________________________________________
> krbdev mailing list             krbdev at


  Douglas E. Engert  <DEEngert at>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the krbdev mailing list