pkinit with passwords
Greg Hudson
ghudson at MIT.EDU
Wed Aug 21 00:32:20 EDT 2013
On 08/19/2013 06:45 PM, Chris wrote:
> I've been experimenting with pkinit, and was wondering if there is a
> way to also require the normal kerberos password as well as using a
> certificate file. I prefer not to trust the cert alone, but would also
> like something more than a password. I can ask people to password
> protect their cert key, and that works, but is unenforceable.
I don't believe there's any way to combine PKINIT with Kerberos
passwords, no. I think the usual way to enforce this is to issue smart
cards, but that obviously carries a cost.
There's been a lot of discussion recently on combining multiple preauth
mechs, or just combining Kerberos passwords with preauth mechs which
don't normally require one (FAST OTP or PKINIT). But I don't know
whether those discussions will come to anything specific or when.
More information about the Kerberos
mailing list