While Ken Hornstein's FAQ was useful in its day, much of its content
is no longer relevant (e.g., Kerberos 4) or even actively harmful
(e.g., the latest version of MIT krb5 is not 1.2.1). It was also
somewhat MIT-krb5-focused, especially relating to configuration file
snippets, which is not necessarily a great fit for the Heimdal
documentation.
Replace it with a tutorial hosted on kerberos.org and the classic
"dialogue" from Bill Bryant.
Fixes: #766
This adds support for using a Heimdal-specific PKIX extension to derive
a maximum Kerberos ticket lifetime from a client's PKINIT certificate.
KDC configuration parameters:
- pkinit_max_life_from_cert_extension
- pkinit_max_life_bound
If `pkinit_max_life_from_cert_extension` is set to true then the
certificate extension or EKU will be checked.
If `pkinit_max_life_bound` is set to a positive relative time, then that
will be the upper bound of maximum Kerberos ticket lifetime derived from
these extensions.
The KDC config `pkinit_ticket_max_life_from_cert` that was added earlier
has been renamed to `pkinit_max_life_from_cert`.
See lib/hx509 and lib/krb5/krb5.conf.5.
This adds support for using a Heimdal-specific PKIX extension to derive
a maximum Kerberos ticket lifetime from a client's PKINIT certificate:
- a `--pkinit-max-life` to the `hxtool ca` command
- `hx509_ca_tbs_set_pkinit_max_life()`
- `hx509_cert_get_pkinit_max_life()`
- `HX509_CA_TEMPLATE_PKINIT_MAX_LIFE`
There are two extensions. One is an EKU, which if present means that
the maximum ticket lifetime should be derived from the notAfter minus
notBefore. The other is a certificate extension whose value is a
maximum ticket lifetime in seconds. The latter is preferred.
MSFT makes the `q` field of `DomainParameters` OPTIONAL even though it's
actually required. We currently validate DH groups not by validating
that p is a Sophie Germain prime but by checking the proposed group
against a compiled-in list and against a krb5.moduli file, therefore we
don't need q. Besides, for Oakley groups, because p is a Sophie Germain
prime, we'd have q=p/j and j=2, so we can always compute q as needed
(and MIT Kerberos does).
A common complaint about hxtool(1) is that if one fails to add a TYPE:
prefix to a CSR or certificate/private key store names, then hxtool
fails somewhat inscrutably. We can't just fix hx509_certs_init() or
hx509_certs_append() because they default to "MEMORY" so who knows what
might break. Instead we fix all uses of user-provided store names in
hxtool to have a FILE: prefix if no type was given. For CSRs we'll
default to adding the only type prefix supported, "PKCS10".
This adds a KDC configuration parameter that can be used to indicate
that a PKINIT client's certificate's notAfter overrides the client
principal's HDB entry's max_life. This parameter is a relative time
parameter, and it enables this only if set to a non-zero value (defaults
to zero). The value of this parameter caps the max_life inferred from
the certificate.
autoconf-2.70 and newer are more strict with quoting etc. and thus generate
a broken configure file:
configure: 20855: Syntax error: ")" unexpected (expecting "fi")
Gentoo-bug: https://bugs.gentoo.org/776241
Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>
