kerberos, pre_auth, and smartcards
Will Fiveash
will.fiveash at oracle.com
Tue Jul 27 21:50:49 EDT 2010
On Tue, Jul 27, 2010 at 05:06:42PM -0400, Greg Hudson wrote:
> On Tue, 2010-07-27 at 16:43 -0400, Russ Allbery wrote:
> > I thought setting requires_hwauth on the principal should force PKINIT.
> > Does this not work the way that I thought it did?
>
> I can't find anything in our code which would set the HW-AUTHENT ticket
> flag for pkinit preauth. Only SAM preauth appears to do that.
>
> It's theoretically possible for a KDC to have evidence of whether PKINIT
> preauth was done with hardware or software private keys, but only with
> help from the admin, and we don't have that kind of configuration.
I started a thread on this earlier, search for the following in the
archives:
Date: Tue, 9 Feb 2010 19:05:32 -0600
From: Will Fiveash <William.Fiveash at Sun.COM>
To: MIT Kerberos Dev List <krbdev at MIT.EDU>
Subject: HW-AUTHENT flag question
Message-ID: <20100210010532.GB14762 at sun.com>
--
Will Fiveash
Oracle
Note my new work e-mail address: will.fiveash at oracle.com
http://opensolaris.org/os/project/kerberos/
Sent using mutt, a sweet text based e-mail app: http://www.mutt.org/
More information about the Kerberos
mailing list