Skip Menu |

Download (untitled) / with headers
text/plain 3.6KiB
From Tue May 22 22:36:52 2012
Return-Path: <>
Received: from (PCH.MIT.EDU [])
by (Postfix) with ESMTP id 254423DE85;
Tue, 22 May 2012 22:36:52 -0400 (EDT)
Received: from ( [])
by (8.13.6/8.12.8) with ESMTP id q4N2apec026824;
Tue, 22 May 2012 22:36:51 -0400
Received: from (MAILHUB-DMZ-2.MIT.EDU [])
by (8.13.6/8.12.8) with ESMTP id q4N1CTgm016207
for <>; Tue, 22 May 2012 21:12:29 -0400
by (8.13.8/8.9.2) with ESMTP id q4N1CNmQ018424
for <>; Tue, 22 May 2012 21:12:29 -0400
X-AuditID: 12074425-b7f966d0000008b6-85-4fbc397cddaf
Authentication-Results: symauth.service.identifier
Received: from ( [])
by (Symantec Messaging Gateway) with SMTP
id 54.78.02230.C793CBF4; Tue, 22 May 2012 21:12:29 -0400 (EDT)
Received: by (Postfix, from userid 1989)
id 478A22833F9; Tue, 22 May 2012 18:12:27 -0700 (PDT)
Subject: Insufficient Information Printed from the PKINIT Plugin
X-send-pr-version: 3.99
Message-Id: <>
Date: Tue, 22 May 2012 18:12:27 -0700 (PDT)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFjrIIsWRWlGSWpSXmKPExsXSMLXVQrfWco+/waNeJouGh8fZHRg9ms4c
X-Mailman-Approved-At: Tue, 22 May 2012 22:36:49 -0400
X-Mailman-Version: 2.1.6
Precedence: list

Show quoted text
>Submitter-Id: net
>Originator: Henry B. Hotz
Jet Propulsion Laboratory
Show quoted text
>Confidential: no
>Synopsis: Some important misconfigurations of the PKINIT plugin do not cause useful printout to KRB5_TRACE.
>Severity: non-critical
>Priority: medium
>Category: krb5-clients
>Class: support
>Release: 1.9
Intel VM, Scientific Linux 6.2, Scientific Linux 6.2, pkinit plugin
System: Linux 2.6.32-220.13.1.el6.x86_64 #1 SMP Tue Apr 17 15:16:22 CDT 2012 x86_64 x86_64 x86_64 GNU/Linux
Architecture: x86_64

Show quoted text
Some errors printed by the pkiDebug() routine, such as "no anchors in file" suggest mistakes in the krb5.conf. They should be printed to KRB5_TRACE, since it may be difficult to debug a configuration without them. It would not be excessive, but might not be necessary, to make all pkiDebug() go to KRB5_TRACE.
Show quoted text
Varies. For the specific example just given set pkinit_anchors to a .der-formatted file instead of PEM.
Show quoted text
The workaround used was to build with the DEBUG flag. Seems excessive.
The situation should be improved significantly in 1.11 by r25854
(committed May 8). In your particular scenario, the bogus "Out of
memory" error in the trace log would have been replaced with an OpenSSL
error, for instance.

There is still some information available through compile-time options
but not present in the trace logs (including basically everything on the
KDC side), so I wouldn't say we're done here. The main obstacle is
representing OpenSSL types in string form without adding a large amount
of code. (Also, I'm not sure I would want to dump Diffie-Hellman
parameters into the trace logs before we have a way to enable super-
verbose trace logging, since they're quite large and there are three of