Fwd: PKINIT and DN Mapping support in MIT kerberos

[Matthieu Hautreux]

I forgot to reply to all. Below is my previous email concerning the
PKINIT/DN mapping in MIT kerberos.

I would be pleased to have any comments on that subject.

Best regards,
Matthieu

---------- Forwarded message ----------
From: Matthieu Hautreux <matthieu.hautreux at gmail.com>
Date: 2011/11/30
Subject: Re: PKINIT and DN Mapping support in MIT kerberos
To: Sam Hartman <hartmans at painless-security.com>


Thank you Sam for your answer.

The new feature you mentioned seems really interesting and could be
used to associate one or multiple DNs to kerberos principal instead of
managing it externally using a mapping file. As my goal is to have
something that could be used with a RedHat 6 distribution (including
MIT kerberos 1.8), I am not sure that it will be easy to make a patch
using that feature. A patch for the mapping file support only could
probably be easier to do.
Do you know if RedHat is thinking about switching to a more recent
version of MIT kerberos in their next upgrades ? If they plan to
switch to 1.10 in their 6.x future upgrades, I think that it would
worth such an effort but if not, I would probably only consider the
mapping file implementation. Do you think that you could also consider
it for inclusion in the case I provide you some code for that ?

My main objective is to make the glue between GSI-SSH and Kerberos in
a grid environment using PKINIT AS_REQ with proxy certificates.
Douglas E. Engert gave me an interesting information concerning that
possibility, that is to say that MIT implementation is not currently
supporting proxy certificate profile as detailed in RFC3820 in its
PKINIT preauth plugin.
Do you confirm that and if it is the case, do you know if is is
something that will happen soon ? My current working prototype is
based on heimdal-1.5.1 that includes this ability. As I said, heimdal
is not yet supported by RedHat and I would rather keep the MIT
implementation to ease the support in a production environment.
However, if heimdal is the only implementation that support the proxy
certificate profile I will no longer have the choice :(

Best regards,
Matthieu


2011/11/28 Sam Hartman <hartmans at painless-security.com>:
> I don't know of any current plans to handle this.  However, we've
> recently introduced the ability to store strings associated with a
> principal; see
> http://k5wiki.kerberos.org/wiki/Projects/Principal_entry_string_mapping
> . With that code it might be relatively easy to write a patch that
> permitted you to set an expected DN for a certificate for a given
> principal.
>
> I don't know of any plans to write such a patch, but if you do work on
> that I'd be happy to review your work and consider it for inclusion.
>
> --Sam