Comments on the use of plugins - useof pkinit_kdc_hostname
Douglas E. Engert
deengert at anl.gov
Mon Jun 18 17:11:03 EDT 2007
Sam Hartman wrote:
>>>>>> "Douglas" == Douglas E Engert <deengert at anl.gov> writes:
>
> Douglas> I think what I am asking for is a better way to handle
> Douglas> the current Windows KDCs, until they support full RFC
> Douglas> 4556.
>
> Right.
> And if we can figure out a secure way to map the KDC cert to a specific realm without configuration, I'm happy to do that.
>
> So far you have not shown that the mappings you propose are in fact
> secure.
>
> Keep in mind that MIT clients will likely have a larger CA set than
> some W2K deployments.
Yes. So the pkinit_eku_checking = W2k is per realm. The pkinit_anchors can also be set per realm.
So the same client could use a larger CA set for other none windows realms.
So if the KDC cert does not meet RFC 4556 and pkinit_eku_checking = w2k is set in the
krb5.conf [realm] section for the realm in question, the following must be true:
KDC cert has extension 1.3.6.1.4.1.311.20.2 with "DomainController"
KDC cert has extension SAN DNS: hostname
hostname matches the hostname of the expected KDC.
hostname is processed via [domain_realm] mapping to get realm.
Realm matches intended realm.
The KDC cert is verified against the CA as listed in the pkinit_anchors
for the realm.
This security is relying on the CA to only signing certs with the 1.3.6.1.4.1.311.20.2
"DomainController" for *real* domain controllers. The SAN DNS: name would be the
name of the KDC. The [domain_realm] mapping would get the realm from any host
in the domain with a cert, but only a KDC would have "DomainController".
>
> _______________________________________________
> krbdev mailing list krbdev at mit.edu
> https://mailman.mit.edu/mailman/listinfo/krbdev
>
>
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the krbdev
mailing list