kerberos, pre_auth, and smartcards
Russ Allbery
rra at stanford.edu
Tue Jul 27 16:43:54 EDT 2010
Greg Hudson <ghudson at MIT.EDU> writes:
> preauth-required doesn't specify which kind of preauth is required. The
> client is proving its knowledge of the password using a much simpler
> mechanism called "encrypted timestamp", and that's sufficient for the
> KDC to issue a ticket.
> Currently, if you want to specifically require pkinit, you'll need to
> randomize the principal's key so that there is no valid password.
I thought setting requires_hwauth on the principal should force PKINIT.
Does this not work the way that I thought it did?
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the Kerberos
mailing list