Skip Menu |
 

Subject: pkinit_win2k_require_binding behavior does not match documentation
Download (untitled) / with headers
text/plain 1.1KiB
The documentation for pkinit_win2k_require_binding states:

If this flag is set to true, it expects that the target KDC is
patched to return a reply with a checksum rather than a nonce.
The default is false.

The actual behavior is:

1. If pkinit_win2k_require_binding is set, then when generating a draft9
request, generate additional empty KRB5_PADATA_AS_CHECKSUM pa-data.
This instructs patched Active Directory KDCs to generate an RFC 4556
ReplyKeyPack with checksum, instead of a draft 9 ReplyKeyPack with
nonce.

2. Always accept a draft 9 ReplyKeyPack in a draft9 response.

We could change the documentation, but I think it's more useful to
change the code behavior. We should always generate
KRB5_PADATA_AS_CHECKSUM pa-data when generating a draft9 request, and
should only accept a draft9 ReplyKeyPack if the variable is false. We
should also consider changing the default value from false to true.

There is some additional conditionalization around the longhorn variable
which isn't really important. (I am pretty sure that we can safely
remove the longhorn variable at this point.)

All of this applies only to RSA, not DH.
From: Sam Hartman <hartmans@mit.edu>
To: rt@krbdev.mit.edu
Subject: Re: [krbdev.mit.edu #7933] pkinit_win2k_require_binding behavior does not match documentation
Date: Fri, 06 Jun 2014 18:37:12 -0400
RT-Send-Cc:
You might actually be able to remove the whole variable at this point.
Is Windows 2003 still supported? If so, what service pack did that
patch make it into and when did that come out?
From: ghudson@mit.edu
Subject: git commit

Remove pkinit_win2k_require_binding option

When constructing a draft9 PKINIT request, always include
KRB5_PADATA_AS_CHECKSUM padata to ask for an RFC 4556 ReplyKeyPack.
Do not accept a draft9 ReplyKeyPack in the KDC response.

For now, retain the krb5_reply_key_pack_draft9 ASN.1 codec and the KDC
support for generating a draft9 ReplyKeyPack when a draft9 PKINIT
request does not contain KRB5_PADATA_AS_CHECKSUM.

https://github.com/krb5/krb5/commit/823bad7f3f314647feb14284bc36fa231c9c7875
Author: Greg Hudson <ghudson@mit.edu>
Commit: 823bad7f3f314647feb14284bc36fa231c9c7875
Branch: master
doc/admin/conf_files/krb5_conf.rst | 5 ----
src/plugins/preauth/pkinit/pkinit.h | 2 -
src/plugins/preauth/pkinit/pkinit_clnt.c | 38 +++--------------------------
src/plugins/preauth/pkinit/pkinit_lib.c | 1 -
4 files changed, 4 insertions(+), 42 deletions(-)