Extending certauth plugin to set ticket flags?

[Ken Hornstein]

>>> 2. Designate a magic authentication indicator value (probably "hwauth").
>>> In the core KDC code near the end of AS-REQ processing, check if this
>>> indicator is asserted and set the hw-authent bit.
>> 
>> I'd be happy with this.
>
>Unfortunately, this approach turns out to be difficult to implement
>properly.  (Authdata handling happens late in the AS-REQ process, and
>can affect the set of indicators.  Checking the server principal's
>hardware authentication requirement against the ticket flags happens
>earlier, and if that check fails, we have to produce a hint list, which
>is an async process, so it's not easy to move the check later.)

Well, I will defer to your knowledge of the KDC AS-REQ processing path,
and "perfect is the enemy of the good" and all that.  If you are fine
with a designated authorize_cert return code, then so am I.

--Ken