Support for X509 certificate PKINIT auth in kadmin
vineeth shyam
vineethshyam at yahoo.com
Wed Mar 29 12:07:26 EDT 2023
Thanks Ken.
I believe, kadmin using password/ keytab based authentication doesnt require kadmin/admin principal's service ticket when trying to connect to kadmind server.
Despite setting DISALLOW_TGT_BASED and DISALLOW_SVR on kadmin/admin principal, I can use password/keytab based auth in my kadmin command and connect to kadmind & get the kadmin prompt.e.g. kadmin -p <xyz>/admin -kt xyzadmin.keytab
NOTE: setting DISALLOW_SVR on service principals like kadmin/admin might be a personal choice.
Where as, PKINIT X.509 certificate based pre-auth doesnt give me the service ticket for kadmin/admin (when DISALLOW_SVR is set) via kinit e.g. kinit -X <X509-CERT&KEY-of-xyz/admin> -S kadmin/admin <xyz/admin>thus kadmin -c <credentials_cache> wouldnt work and cant connect to kadmind.
Its essential that kadmin also supports -X X509 Certificate /PKINIT based pre-auth (instead of getting the TGT & ST via kinit into credentials cache) similar to password/keytab based auth.
Wishes-Vineeth
On Wednesday, 29 March 2023 at 06:00:13 PM IST, Ken Hornstein <kenh at cmf.nrl.navy.mil> wrote:
>The kadmin client connects to MIT Kerberos kadmin server using
>password-based or keytab authentication. Although it supports anonymous
>PKINIT, it would be good if kadmin client can also accept X.509 PKINIT
>certificate based authentication just like how kinit does.
As far as I can tell, _if_ you have everything configured correctly
then you can use PKINIT with kadmin just fine (both kadmin and kinit
end up calling the same function, krb5_get_init_creds_password(),
which should do all of the same magic if the principal you are using
is configured for PKINIT).
If you're talking about the fact that kadmin doesn't support something
like the "-X X509_user_identity" option that kinit does, well, I explained
how to work around that here:
https://mailman.mit.edu/pipermail/kerberos/2023-March/022952.html
I personally would have no objections if kadmin added support for that,
but a quick glance at the source code suggests to me it would require
some not-insignificant kadm5 API changes.
--Ken
More information about the krbdev
mailing list