kerberos, pre_auth, and smartcards
Greg Hudson
ghudson at MIT.EDU
Tue Jul 27 17:06:42 EDT 2010
On Tue, 2010-07-27 at 16:43 -0400, Russ Allbery wrote:
> I thought setting requires_hwauth on the principal should force PKINIT.
> Does this not work the way that I thought it did?
I can't find anything in our code which would set the HW-AUTHENT ticket
flag for pkinit preauth. Only SAM preauth appears to do that.
It's theoretically possible for a KDC to have evidence of whether PKINIT
preauth was done with hardware or software private keys, but only with
help from the admin, and we don't have that kind of configuration.
More information about the Kerberos
mailing list