Conditional prompting with PKINIT preauth

Nico Williams nico at cryptonector.com
Mon May 27 18:22:11 EDT 2013


On Mon, May 27, 2013 at 3:51 PM, Greg Hudson <ghudson at mit.edu> wrote:
> More generally, I'm not sure the pam_krb5 module ought to be driving the
> decision to use PKINIT.  [...]

Well, certainly the KDC must decide how some principal is
authenticated.  But local policy must also be allowed to set a bar.

Nico
--


More information about the Kerberos mailing list