Support for X509 certificate PKINIT auth in kadmin
Ken Hornstein
kenh at cmf.nrl.navy.mil
Wed Mar 29 08:30:08 EDT 2023
>The kadmin client connects to MIT Kerberos kadmin server using
>password-based or keytab authentication. Although it supports anonymous
>PKINIT, it would be good if kadmin client can also accept X.509 PKINIT
>certificate based authentication just like how kinit does.
As far as I can tell, _if_ you have everything configured correctly
then you can use PKINIT with kadmin just fine (both kadmin and kinit
end up calling the same function, krb5_get_init_creds_password(),
which should do all of the same magic if the principal you are using
is configured for PKINIT).
If you're talking about the fact that kadmin doesn't support something
like the "-X X509_user_identity" option that kinit does, well, I explained
how to work around that here:
https://mailman.mit.edu/pipermail/kerberos/2023-March/022952.html
I personally would have no objections if kadmin added support for that,
but a quick glance at the source code suggests to me it would require
some not-insignificant kadm5 API changes.
--Ken
More information about the krbdev
mailing list