PKINIT support in MIT Kerberos : are enhancements planned ?

Tom Yu tlyu at MIT.EDU
Wed Jan 4 16:57:07 EST 2012

[redirecting to krbdev]

Matthieu Hautreux <matthieu.hautreux at> writes:

> I am currently working on a way to bind gsi-ssh and kerberos using
> PKINIT in order to offer a seamless access to a kerberized remote
> environment using the X509 material of the client.
> I am facing two problems that prevent me from having something working
> properly with MIT kerberos implementations :
>   1/ GSI-SSH uses proxy-certificates to provide single sign-on on the
> remote side. To get a kerberos token out of the x509 material on the
> server, I need to have a kerberos implementation supporting
> proxy-certificates.

What level of support you need for RFC 3820 proxy certificates?  Do
restrictions in the proxy certificates need to somehow expressed in
the Kerberos ticket?  Is it sufficient to perform the RFC 3820 basic
validation procedure?  (I'm not too familiar with the details of RFC
3820, so please correct me if I misunderstand something.)

>   2/ We are using multiple PKIs that were defined prior to any
> consideration of doing PKINIT stuff and can not be modified. We can
> not rely on a simple DN<->principal mapping as this feature is not
> supported in current MIT implementation.

There are several ways we could do that, but there does seem to be an
existing unimplemented (and possibly undocumented) configuration
option to specify a DN mapping file.  It would be cleaner to use
per-principal information stored in the KDC database though.  Keeping
the DN mapping in a separate file seems like it would be more
troublesome for the day-to-day administration of a realm.

More information about the krbdev mailing list