Semantics for multiple pkinit_anchors/pkinit_pool lines
Greg Hudson
ghudson at mit.edu
Thu Jan 28 00:25:44 EST 2021
On 1/27/21 9:45 PM, Ken Hornstein wrote:
> Our implementation was changed so all errors were ignored when loading
> the root and intermediate certificates. This hasn't been a problem in
> practice, but I realize it might not be ideal.
It wouldn't break anyone's working configuration, but it could obscure
the reason for a new configuration not working. In the most likely case
where you have one anchor specification and it isn't right, the KDC
currently logs:
preauth pkinit failed to initialize: PKINIT initialization failed:
Cannot open file '...': No such file or directory
and we'd lose that if errors were ignored. The trace log (where you'd
have to look on the client side) is pretty helpful with or without the
error being ignored.
PKINIT OpenSSL error: Cannot open file '...'
PKINIT OpenSSL error: error:02001002:system library:fopen:No such file
or directory
> Keep track of errors and make it so it won't error out if at least
> one pkinit_anchors line works
This is probably fine. We'd still get our KDC log if there's one anchor
location and it can't be loaded, and the trace log would still note
which paths failed to load.
More information about the krbdev
mailing list