Suggestion of change to certauth plugin interface

Alexander Bokovoy abokovoy at
Fri Dec 9 07:48:16 EST 2022

On pe, 09 joulu 2022, Ken Hornstein via krbdev wrote:
>>This wouldn't necessarily require a major API bump, but can you
>>elaborate on what a certauth module would be interested in the
>>configured realm list, and can't build it up as queries come in?
>Sure.  I talked before that one of my plugins was for doing OCSP
>checking of client certificates for PKINIT.  Well, it turns out that
>to do that, you need to build up the complete certificate chain so you
>can check the status of intermediate certificates.  To do that, you
>need access to the same certificate store that the KDC is using.  So
>what I decided to do was parse the same pkinit_anchors and pkinit_pool
>lines and build up a certificate store so X509_verify() can build a
>certificate chain.  For THAT, you need access to the known realms so you
>can build up the same configuration hierarchy that the KDC uses.  Also,
>there are a bunch of configuration options for this plugin that use the
>same configuration hierarchy and for that you need the known realms.  I
>realize in theory that you could do this as queries come in, but ...
>that kind of sucks.  For one, if you have problems during initialization
>you can't signal this back as part of plugin initialization.  And if you
>want to output a warning message about a configuration problem you really
>want to do this at startup, not as a query comes in.

It would probably be great to share that functionality between certauth
and pkinit plugins. PKINIT code already has it, if we could have turned
that into a common library that could be used by certauth plugins, it
would probably helped everyone to keep the configuration and behavior
the same way between authentication and authorization parts...

>>There's a potential mode of KDC operation where multiple realms live in
>>the same database, and realms can be added and removed while the KDC is
>>running.  This mode isn't currently supported (the kadmin/kdb5_util
>>tooling doesn't exist, and the KDC code only 99% supports it), but I'd
>>like to think carefully about adding plugin interfaces which conflict
>>with that option.
>I think that conflict already exists?  I looked at other plugins to see
>what they do, and the reason I asked about this was that the KDC-side
>preauth interface gets passed in a static list of realms and uses that
>to do per-realm configuration (I was cribbing a lot of implementation
>details from the pkinit plugin).
>>Does NRL use the current multiple realm KDC support?  I have been
>>assuming that it's very rare to do so, because there isn't equivalent
>>support in kadmind.
>We do not, and I do not know of anyone that does that (but I probably
>am only familiar with the configuration of less than a dozen realms
>and most of them are in a similar environment as ours, so it doesn't
>make sense in those situations).

FreeIPA and Samba AD would need to support multiple realms in the same
database (or alike) to imitate NetBIOS realm aliases Active Directory
provides in their UPN handling. Right now it is a bit awkward...

/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland

More information about the krbdev mailing list