Comments on the use of plugins - use of pkinit_kdc_hostname

Douglas E. Engert deengert at
Wed Jun 20 11:20:19 EDT 2007

Henry B. Hotz wrote:
> On Jun 19, 2007, at 9:03 AM, krbdev-request at wrote:
>>>>  No, the issue is that without trusting DNS, you don't know
>>>> that the SRV record returned the right cert.
>>     Douglas> This DNS trust issue is the same problem you have without
>>     Douglas> PKINIT, and is related to IP spoofing, i.e. how does the
>>     Douglas> client know it is talking to the real KDC?
>> No.  I can trust the KDC because only it knows my password.  (That's
>> different from the system i'm logging into trusting me, which requires
>> that it have a host key.)  But normal Kerberos does not depend on the
>> security of the DNS.  If your DNS is returning the wrong information
>> you can get denial of service, but you cannot make a trusted local
>> user believe they are talking to a KDC that does not know their
>> password.
> Let me make sure I'm tracking this thread:  We're only worried about  
> trust when the KDC cert doesn't have the right 4556 attributes. 

Yes, and current Windows AD KDCs, would be 99% of them. So I think
this is thread on how to verify existing Windows AD that already support
smart cards. Noting that some of the co-authors of 4556 are from Microsoft,
I would expect the situation to change in some future release.

  > If it has the right attributes, then the only trust issue is the
> standard X509 one of making sure the right certs (and only the right  
> certs from a genuinely trusted CA) are available on the client to  
> verify the KDC's cert.

Yes. And that the cert presented by the KDC was intended to be a KDC
cert for the correct realm as signed by the trusted CA.
i.e. make sure some user or host with a valid cert is not pretending
to be a KDC.

The idea is to not have to pre load the KDC certs or the names of the
KDCs in the krb5.conf on the clients, as KDCs (DomainColtrollers) come
and go in large organizations.

I believe this can be achieved by checking for the extension
with the "DomainController" and the SAN of DNS: <kdc-hostname>. and
deriving the realm name form the <kdc-hostname>

> Correct?
> ------------------------------------------------------------------------
> The opinions expressed in this message are mine,
> not those of Caltech, JPL, NASA, or the US Government.
> Henry.B.Hotz at, or hbhotz at
> _______________________________________________
> krbdev mailing list             krbdev at


  Douglas E. Engert  <DEEngert at>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the krbdev mailing list