trouble with pkinit
Nico Williams
nico at cryptonector.com
Sat Apr 18 02:35:30 EDT 2026
On Sat, Apr 18, 2026 at 08:45:19AM +0300, Alexander Bokovoy wrote:
> We are doing somewhat similar with localkdc where user principals do not
> exist in the KDC database but our KDB driver looks them up through
> external sources (userdb interface systemd provides on top of NSS). You
> still need to resolve get_principal() request by the KDC to answer the
> questions which pre-auth mechanisms could be enabled for this principal.
The observation in Heimdal's synthetic principals feature is that if
there is a pre-auth mechanism that can externally identify and
authenticate the principal, and the principal record does not exist,
then we can synthesize without further ado. PKINIT can do that.
Encrypted challenges can't. So if the principal record doesn't exist
then we can synthesize one that allows PKINIT and not encrypted
challenges, which is what we do, but we don't do it for the purposes of
KRB-ERROR generation for pre-auth-less AS-REQs -- _that_ is the bug
biting Geoffrey.
Nico
--
More information about the krbdev
mailing list