[Freeipa-devel] Anonymous PKINIT and kdcproxy
Alexander Bokovoy
abokovoy at redhat.com
Mon Dec 12 08:54:15 UTC 2016
On ma, 12 joulu 2016, Christian Heimes wrote:
>Hi Simo,
>
>I'm wondering if we need to change kdcproxy for anon pkinit. What kind
>of Kerberos requests are performed by anon pkinit and to establish a
>FAST tunnel? python-kdcproxy allows only request types AS-REQ, TGS-REQ
>and AP-REQ+KRB-PRV. Responses are not filtered.
Anonymous principal as configured in FreeIPA can only be used to obtain
a TGT, nothing else.
See https://tools.ietf.org/html/rfc6112 for a spec definition.
--
/ Alexander Bokovoy
More information about the Freeipa-devel
mailing list