Conditional prompting with PKINIT preauth

Nico Williams nico at
Mon May 27 18:22:11 EDT 2013

On Mon, May 27, 2013 at 3:51 PM, Greg Hudson <ghudson at> wrote:
> More generally, I'm not sure the pam_krb5 module ought to be driving the
> decision to use PKINIT.  [...]

Well, certainly the KDC must decide how some principal is
authenticated.  But local policy must also be allowed to set a bar.


More information about the Kerberos mailing list