On 2016-12-12 10:37, Alexander Bokovoy wrote: > On ma, 12 joulu 2016, Alexander Bokovoy wrote: >> On ma, 12 joulu 2016, Christian Heimes wrote: >>> On 2016-12-12 09:54, Alexander Bokovoy wrote: >>>> On ma, 12 joulu 2016, Christian Heimes wrote: >>>>> Hi Simo, >>>>> >>>>> I'm wondering if we need to change kdcproxy for anon pkinit. What kind >>>>> of Kerberos requests are performed by anon pkinit and to establish a >>>>> FAST tunnel? python-kdcproxy allows only request types AS-REQ, TGS-REQ >>>>> and AP-REQ+KRB-PRV. Responses are not filtered. >>>> Anonymous principal as configured in FreeIPA can only be used to obtain >>>> a TGT, nothing else. >>>> >>>> See https://tools.ietf.org/html/rfc6112 for a spec definition. >>> >>> That doesn't answer my question for me. Or does 'only TGT' imply that >>> request types are limited to AS-REQ and TGS-REQ? RFC 6112 just talks >>> about the two request types. >> You can only obtain a TGT and this TGT can only be used for FAST >> channel. You cannot obtain any service ticket with this TGT. > To close the loop, no changes in kdcproxy are needed because PKINIT is a > pre-authentication scheme and it works just fine with kdcproxy as it is. > I just tested this.
Alexander, thanks for your tests! I have created an issue to add test cases to kdcproxy to ensure that we stay compatible with PKINIT, https://github.com/latchset/kdcproxy/issues/23 Christian
signature.asc
Description: OpenPGP digital signature
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code