Automatic FAST via Anonymous PKINIT

Nico Williams nico at
Wed May 21 17:23:33 EDT 2014

On Tue, May 20, 2014 at 1:59 PM, Nathaniel McCallum
<npmccallum at> wrote:
> === CLIENT TRUST ===
> Using other methods of establishing the FAST channel imply an already
> established trust between the client and the server. In the case of
> SSSD, for instance, the client has already been added to the FreeIPA
> realm. This added level of trust is necessary because, unlike
> non-preauth Kerberos, long term secrets are going over the wire. When
> using Anonymous PKINIT, this trust takes the form of trusting a
> certificate's CA chain. We have discussed four approaches with MIT.

One more possible method for establishing trust would be for the user
to convey it via their realm name, something like:

foouser at +MYREALM



I like the first because it's easy to use, though technically it is
camping, but I don't think I care in this case.

This has the added benefit that setting +MYREALM as a default/user
realm in krb5.conf is all that would have to be done to configure FAST
support.  Unfortunately this would probably break things like Java
JGSS, so never mind this part.


More information about the krbdev mailing list