Suggestion of change to certauth plugin interface

Ken Hornstein kenh at cmf.nrl.navy.mil
Fri Dec 9 07:16:14 EST 2022 

>This wouldn't necessarily require a major API bump, but can you 
>elaborate on what a certauth module would be interested in the 
>configured realm list, and can't build it up as queries come in?

Sure.  I talked before that one of my plugins was for doing OCSP
checking of client certificates for PKINIT.  Well, it turns out that
to do that, you need to build up the complete certificate chain so you
can check the status of intermediate certificates.  To do that, you
need access to the same certificate store that the KDC is using.  So
what I decided to do was parse the same pkinit_anchors and pkinit_pool
lines and build up a certificate store so X509_verify() can build a
certificate chain.  For THAT, you need access to the known realms so you
can build up the same configuration hierarchy that the KDC uses.  Also,
there are a bunch of configuration options for this plugin that use the
same configuration hierarchy and for that you need the known realms.  I
realize in theory that you could do this as queries come in, but ...
that kind of sucks.  For one, if you have problems during initialization
you can't signal this back as part of plugin initialization.  And if you
want to output a warning message about a configuration problem you really
want to do this at startup, not as a query comes in.

>There's a potential mode of KDC operation where multiple realms live in 
>the same database, and realms can be added and removed while the KDC is 
>running.  This mode isn't currently supported (the kadmin/kdb5_util 
>tooling doesn't exist, and the KDC code only 99% supports it), but I'd 
>like to think carefully about adding plugin interfaces which conflict 
>with that option.

I think that conflict already exists?  I looked at other plugins to see
what they do, and the reason I asked about this was that the KDC-side
preauth interface gets passed in a static list of realms and uses that
to do per-realm configuration (I was cribbing a lot of implementation
details from the pkinit plugin).

>Does NRL use the current multiple realm KDC support?  I have been 
>assuming that it's very rare to do so, because there isn't equivalent 
>support in kadmind.

We do not, and I do not know of anyone that does that (but I probably
am only familiar with the configuration of less than a dozen realms
and most of them are in a similar environment as ours, so it doesn't
make sense in those situations).

--Ken

More information about the krbdev mailing list