SecurID Preauth Support

[John Devitofranceschi]

I just noticed the SecurID Preauth Support plugin in MIT Kerberos 1.9 and I was wondering if anyone has been using it yet.

I am specifically interested in the operational and user aspects of supporting this plugin.  

>From the plugin's Readme:

"Once the plugin is installed, set the requires_preauth and potentially requires_hwauth flags for a principal.  Then create principal/SECURID as a new principal with a random key. That principal will now require SecurID authentication."

>From this and the source, I am thinking that if I create a principal named 'fred' (which corresponds with, say, a unix login named 'fred'), I can enable SecurID preauth in the manner described and as far as 'fred' is concerned, the only thing that has changed is that he now has to use his PIN/Token to successfully preauth, not his old password. The user need never know that 'fred/SECURID' exists and the any tgt's issued by the KDC will have the 'H' (Hardware authenticated) flag set.

Is this accurate?

jd