pkinit with passwords

Greg Hudson ghudson at MIT.EDU
Wed Aug 21 00:32:20 EDT 2013


On 08/19/2013 06:45 PM, Chris wrote:
> I've been experimenting with pkinit, and was wondering if there is a
> way to also require the normal kerberos password as well as using a
> certificate file.   I prefer not to trust the cert alone, but would also
> like something more than a password.  I can ask people to password
> protect their cert key, and that works, but is unenforceable.

I don't believe there's any way to combine PKINIT with Kerberos
passwords, no.  I think the usual way to enforce this is to issue smart
cards, but that obviously carries a cost.

There's been a lot of discussion recently on combining multiple preauth
mechs, or just combining Kerberos passwords with preauth mechs which
don't normally require one (FAST OTP or PKINIT).  But I don't know
whether those discussions will come to anything specific or when.



More information about the Kerberos mailing list