[20239] in Kerberos_V5_Development
Re: Semantics for multiple pkinit_anchors/pkinit_pool lines
daemon@ATHENA.MIT.EDU (Greg Hudson)
Thu Jan 28 00:25:59 2021
To: Ken Hornstein <kenh@cmf.nrl.navy.mil>, <krbdev@mit.edu>
From: Greg Hudson <ghudson@mit.edu>
Message-ID: <6a0c50e3-fb82-814f-d284-84ac2ca4a7f1@mit.edu>
Date: Thu, 28 Jan 2021 00:25:44 -0500
MIME-Version: 1.0
In-Reply-To: <202101280244.10S2iqw8024039@hedwig.cmf.nrl.navy.mil>
Content-Language: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
On 1/27/21 9:45 PM, Ken Hornstein wrote:
> Our implementation was changed so all errors were ignored when loading
> the root and intermediate certificates. This hasn't been a problem in
> practice, but I realize it might not be ideal.
It wouldn't break anyone's working configuration, but it could obscure
the reason for a new configuration not working. In the most likely case
where you have one anchor specification and it isn't right, the KDC
currently logs:
preauth pkinit failed to initialize: PKINIT initialization failed:
Cannot open file '...': No such file or directory
and we'd lose that if errors were ignored. The trace log (where you'd
have to look on the client side) is pretty helpful with or without the
error being ignored.
PKINIT OpenSSL error: Cannot open file '...'
PKINIT OpenSSL error: error:02001002:system library:fopen:No such file
or directory
> Keep track of errors and make it so it won't error out if at least
> one pkinit_anchors line works
This is probably fine. We'd still get our KDC log if there's one anchor
location and it can't be loaded, and the trace log would still note
which paths failed to load.
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
