Thanks - it turns out the issue with MacOSX failing when --pk-use-enckey is not used is associated with the minimum number of bits the KDC is willing to accept for a client¹s Diffie-Hellman key. Apparently MacOSX Heimdahl is set at 1024 and has no (at least that I can find) a krb5.conf attribute like pkinit_dh_min_bits. The MIT KDC minimum is 2048 and even if you set the kdc.conf pkinit_dh_min_bits to 1024 the source code¹s minimum is defined at 2048. I was hoping I could make a configuration change rather than a code change but that does not look like its possible. So I had to change krb5-1.10.3/src/plugins/preauth/pkinit/pkinit.h for PKINIT_DEFAULT_DH_MIN_BITS to 1024 to make pkinit work on MacOSX.
If you know a better way please let me know. Glenn On 1/18/16, 4:49 PM, "Greg Hudson" <ghud...@mit.edu> wrote: >On 01/18/2016 01:52 PM, Machin, Glenn D wrote: >> PKINIT seems to only work using MacOSX kinit (/usr/bin/kinit) when the >>argument "--pk-use-enckey" is also passed. There does not seem to be >>a corresponding krb5.conf setting for this argument. Does anyone know >>a MacOSX krb5.conf setting that will do the same thing as >>--pk-use-enckey? > >By my reading of the OS X Heimdal code, there is no equivalent krb5.conf >option. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
