kerberos, pre_auth, and smartcards

Will Fiveash will.fiveash at oracle.com
Tue Jul 27 21:50:49 EDT 2010


On Tue, Jul 27, 2010 at 05:06:42PM -0400, Greg Hudson wrote:
> On Tue, 2010-07-27 at 16:43 -0400, Russ Allbery wrote:
> > I thought setting requires_hwauth on the principal should force PKINIT.
> > Does this not work the way that I thought it did?
> 
> I can't find anything in our code which would set the HW-AUTHENT ticket
> flag for pkinit preauth.  Only SAM preauth appears to do that.
> 
> It's theoretically possible for a KDC to have evidence of whether PKINIT
> preauth was done with hardware or software private keys, but only with
> help from the admin, and we don't have that kind of configuration.

I started a thread on this earlier, search for the following in the
archives:

    Date: Tue, 9 Feb 2010 19:05:32 -0600
    From: Will Fiveash <William.Fiveash at Sun.COM>
    To: MIT Kerberos Dev List <krbdev at MIT.EDU>
    Subject: HW-AUTHENT flag question
    Message-ID: <20100210010532.GB14762 at sun.com>
-- 
Will Fiveash
Oracle
Note my new work e-mail address: will.fiveash at oracle.com
http://opensolaris.org/os/project/kerberos/
Sent using mutt, a sweet text based e-mail app: http://www.mutt.org/



More information about the Kerberos mailing list