Anonymous pkinit and ticket policy

Jeffrey Altman jaltman at
Mon Nov 22 17:13:20 EST 2010

On 11/17/2010 6:58 PM, ghudson at wrote:
> Right now, if you enable anonymous pkinit (by creating the
> WELLKNOWN/ANONYMOUS principal), the KDC will issue tickets with the
> anonymous client principal and any service principal--same as any
> other client principal.
> It is not unheard of for services to offer some level of access to any
> user who can authenticate.  The existence (real or perceived) of such
> services may discourage people from using anonymous pkinit for its
> major use cases--FAST armor and host registration via anonymous
> kadmin.  If you are an integrator looking to simplify one of those use
> cases, you have caveats to worry about.

My perspective on this is that any service that is intentionally
offering services to any authentication without examining the
user principal name in any way is already providing an anonymous
service.   Therefore, there is no change in the behavior.

If the service is in fact checking the user principal name, then
the WELLKNOWN/ANONYMOUS principal is highly unlikely to
conflict.  However, in the case that it might conflict or that a
site would prefer not to offer anonymous functionality, then the
Kerberos profile should offer an option to disable anonymous support
within a realm even if WELLKNOWN/ANONYMOUS at REALM exists.

Jeffrey Altman

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 487 bytes
Desc: OpenPGP digital signature
Url :

More information about the krbdev mailing list