[Freeipa-devel] [PATCHES] add (initial) anonymous pkinit support
Simo Sorce
ssorce at redhat.com
Tue Nov 9 00:34:12 UTC 2010
This set of patches implement the first part of ticket #55
The patchset only adds the ability to install pkinit with the
selfsigned CA (or with externally provided certs).
If you need to use/test dogtag you can pass the --no-pkinit option for
the time being as etting up pkinit is performed by default.
Patch 0003: change the install tools to use a subject base based on the
realm name and not O=IPA for all installs.
Patch 0004: Add basic certification creation for selfsigned CA and KDC
configuration. opnessl had to be used because the NSS tools cannot deal
with the special subjectaltName needed for the KDC certificate.
Patch 0005: Always set pkinit_anchors so that all clients are
preconfigured to do anonymous pkinit including master. Even if the
client does not support pkinit adding the option does not cause any
harm so it is a safe default.
Patch 0006: Add the wellknown principal need to perform anonymous
pkinit AS requests. This principal is *DISABLED* by default.
Patch 0007: Ad a new plugin that allows to enable the wellknown
account, effectively allowing to get pkinit anonymous tickets.
(as a bonus implements disable too :)
Patch 0008: Add support for configuring pkinit certs on replicas too.
What is still missing is dogtag integration and certmonger tracking.
Couldn't work on the dogtag part yet because it won't work on f14 which
is the only fedora version that has a kerberos version recent enough to
support asking for anonynoums pkinit tickets.
Certmonger will need some thinking too as the KDC ticket requires a
different code path to be renewd (different commands in selfsign CA and
different profile with dogtag).
Simo.
--
Simo Sorce * Red Hat, Inc * New York
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-simo-0003-Use-Realm-as-certs-subject-base-name.patch
Type: text/x-patch
Size: 19012 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20101108/0de1c798/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-simo-0004-Add-support-for-configuring-KDC-certs-for-PKINIT.patch
Type: text/x-patch
Size: 15953 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20101108/0de1c798/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-simo-0005-pkinit-always-configure-pkinit_anchors-in-krb5.conf.patch
Type: text/x-patch
Size: 741 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20101108/0de1c798/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-simo-0006-anon-pkinit-add-well-known-principal.patch
Type: text/x-patch
Size: 2132 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20101108/0de1c798/attachment-0003.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-simo-0007-add-plugin-to-enable-disable-anonymous-pkinit.patch
Type: text/x-patch
Size: 3380 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20101108/0de1c798/attachment-0004.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-simo-0008-pkinit-replica-create-certificates-for-replicas-too.patch
Type: text/x-patch
Size: 13974 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20101108/0de1c798/attachment-0005.bin>
More information about the Freeipa-devel
mailing list