Ken Hornstein via Kerberos <kerberos@mit.edu> writes: > Well, dang, that's one for the toolbox! I was able to confirm that > works just fine (but note I already had an existing PKINIT > infrastructure to leverage). I will note that the existing > documentation implies you could authenticate to WELLKNOWN/ANONYMOUS > using your password, but maybe that isn't true? I'm specifically > referring to the documentation for the '-n' option for kinit, the > "second form" of anonymous tickets. There is a note that this isn't > supported, but it mentions MIT Kerberos 1.8 so one could believe that > note is out of date.
> This is kind of the giant mystery surrounding FAST. If you're not > familiar with the gory details of the FAST protocol you're kind of left > stumbling around to figure out what exactly you need to do. I realize > this is probably because it's hard to write documentation for beginners > (certainly I am guilty of this also); I'm only making this as a general > observation. I worked through a bunch of this for pam-krb5 back in the day and made it support a set of reasonable things, including anonymous PKINIT to establish the FAST armor. People who are working in this area may find its source code useful to look at, although I think there have been improvements since then and what it does may no longer be best practice. https://github.com/rra/pam-krb5/blob/main/module/fast.c -- Russ Allbery (ea...@eyrie.org) <https://www.eyrie.org/~eagle/> ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos