#6830 Configure local PKINIT on DL0 or when '--no-pkinit' option is used
Closed: fixed 3 years ago Opened 3 years ago by mbabinsk.

Currently if PKINIT is not configured, there is no fallback mechanism for FreeIPA framework to obtain armor TGT for password/2FA logins. In this case we should issue a local KDC keypair for use as a fallback mechanism only on the master (it is not expected for this to work on clients). This keypair may be either self-signed, or we may introduce a local PKINIT CA that will sign KDC keypair. This CA will be self-signed in no-PKINIT scenario, and will be replaced by a CA with the same subject and private key after full PKINIT is requested.

For more details see http://www.freeipa.org/page/V4/Kerberos_PKINIT


Metadata Update from @mbabinsk:
- Issue assigned to mbabinsk

3 years ago

Metadata Update from @mbabinsk:
- Issue priority set to: 1

3 years ago

Metadata Update from @pvoborni:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1438729

3 years ago

Metadata Update from @pvoborni:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1438729

3 years ago

Metadata Update from @pvoborni:
- Issue set to the milestone: FreeIPA 4.5.1

3 years ago

master:

  • b1a1e10 separate function to set ipaConfigString values on service entry
  • fb52f7a Allow for configuration of all three PKINIT variants when deploying KDC
  • 8697229 API for retrieval of master's PKINIT status and publishing it in LDAP
  • 3adb9ca Use only anonymous PKINIT to fetch armor ccache
  • 68c6a4d Stop requesting anonymous keytab and purge all references of it
  • 2374b64 Use local anchor when armoring password requests
  • a194055 Upgrade: configure local/full PKINIT depending on the master status
  • 960e361 Do not test anonymous PKINIT after install/upgrade

ipa-4-5:

  • 31a2443 separate function to set ipaConfigString values on service entry
  • b49e075 Allow for configuration of all three PKINIT variants when deploying KDC
  • a0e2a09 API for retrieval of master's PKINIT status and publishing it in LDAP
  • fca378c Use only anonymous PKINIT to fetch armor ccache
  • 9fcc794 Stop requesting anonymous keytab and purge all references of it
  • 5031929 Use local anchor when armoring password requests
  • 2452e6e Upgrade: configure local/full PKINIT depending on the master status
  • d497c45 Do not test anonymous PKINIT after install/upgrade

Metadata Update from @jcholast:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

3 years ago

Login to comment on this ticket.

Metadata