[32745] in Kerberos
=?utf-8?B?SG93IHRvIHR1cm4gb2ZmIGNoZWNraW5nIHRoZSBEb21haW4gQ29udHJvbGxl?=
daemon@ATHENA.MIT.EDU (Robert)
Thu Sep 30 11:12:16 2010
Message-ID: <400127.54702.qm@web53907.mail.re2.yahoo.com>
Date: Thu, 30 Sep 2010 08:12:09 -0700 (PDT)
From: Robert <fuzzyhypothesis@yahoo.com>
To: kerberos@mit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
Hi, I wanted to know if there is a way I can stub out in the code so I do not check the domain controller/realm’s server certificate when using smartcards thru pkinit plugin (via PAM/pamkrb) and MIT Kerberos 1.8.3? My problem is the DC is an MS box that I have no control over and has a tendency to change its signed cert a lot. Why? long story, but its not because of security concerns, more of a “tinkering” one. Well each time that changes, my client systems start failing for preauth error since it can’t verify the certificate (I need to install a new root to all the systems etc etc). So…I wanted to know if there is a way to turn this off via krb.conf or some other method. Or if someone could point me to the correct check in the code for this that I can stub out. I have been digging down into the pkinit plugin, in particular the pkinit_clnt.c/pkinit_client_process(), but haven’t seen anything that strikes me as a “validate_controller_cert_here()” like function. The check seems to happen on receiving an AS-REP with a cert attached. I know this is not a recommended practice to remove this check, but it’s what I have to deal with. Any help would be appreciated. FuzzyH
________________________________________________Kerberos mailing list Kerberos@mit.eduhttps://mailman.mit.edu/mailman/listinfo/kerberos
