Implementing a PKINIT AS exchange
oriol caño
oriol292 at gmail.com
Tue Jan 19 05:52:54 EST 2016
Hello,
I am working on a project for the MIT kerberos, the wiki page is the
following one:
http://k5wiki.kerberos.org/wiki/Projects/Realm_Crossover_between_KDCs
I want to perform an AS exchange between two different KDCs, and I want to
do it using a sort of PKINIT exchange with Elliptic Curve, following RFC
5349.
I think this is currently not supported by the KDC, but it wouldn't be a
problem, because I am doing all the logic in a deamon that executes on the
same machine as the KDC. The deamon gets the requests from the KDC, which
redirects them.
My problem is, I couldn't find how to create an AS request in order to send
it through the Internet.
As far as I have seen, the initial AS exchange is performed with the set of
functions *krb5_get_init_creds_X. *This functions manage the AS exchange
internally, and it does not seem to be easy to adapt to my needs.
I may be wrong in my assumptions, I don't know the code that well.
What do you think should be my approach?
One of my ideas was to build the AS_REQ myself and send it to the KDC, but
this does not seem to be the approach taken by the *kinit *client, for
example, so I am not sure how to do it.
Thanks for your help in advanced.
Kind regards,
Oriol Caño
More information about the krbdev
mailing list