[Freeipa-users] Re: Automating host enrolment with PKINIT

Wed, 23 Oct 2024 04:38:12 -0700 

On Срд, 23 кас 2024, Sam Morris via FreeIPA-users wrote:
Having read the "Automated enrollment of FreeIPA host" thread <https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/YSPY5UD3NCJHAGH57IVFO37B2R7G5UM3/#KSEAZQ6RKNM7DBJ4IP5BXGTEA7U4IUJM> earlier in the year, I've written up some notes that I made while implementing it on my domain, which might be of interest to other users: 

https://robots.org.uk/FreeIPA#Automating_host_enrollment_with_PKINIT


Thank you, Sam!


I decided to create a more complex certificate mapping rule which 
matches on the certificate's Kerberos principal name as well as its 
DNS-ID. The advantage of this approach is that it prevents 
certificates without a Kerberos principal name from being used for 
PKINIT at all, and it also stops a host and the services running on it 
from using their certificates to authenticate as each other.


Local organizational policies are exactly for this, indeed!


There's also some info about the details of the two different ways to 
add a Kerberos principal name to certificates, and examples of using 
OpenSSL to add the `szOID_NT_PRINCIPAL_NAME` type of otherName.


You can use certmonger as well. Add a host where certmonger runs as a
manager to all those hosts to be enrolled and then 'ipa-getcert request'
options can be used to add all particular extensions.




I noticed that sss-certmap(5) documents an extended form of the <SAN> 
component rule that is not present in krb5.conf(5) (e.g., 
<SAN:Principal>). I was wondering how these actually work - does 
krb5kdc KDC call into an SSSD plugin that implements these extra 
matching rule components?


Exactly. IPA provides own certauth plugin that uses SSSD libraries to
handle the mapping.


--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland

--
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue






















					Reply via email to