[krbdev.mit.edu #8629] etype-info not included in hint list for REQUIRES_HW_AUTH principals
Greg Hudson via RT
rt-comment at KRBDEV-PROD-APP-1.mit.edu
Mon Dec 25 17:28:37 EST 2017
Testing confirms that SAM-2 preauth (using the testing "grail" option)
does not currently work with a non-default salt.
If we add the PA_HARDWARE flag to the etype-info system entries, it
still doesn't work, because verify_grail_data() insists on a key with
the normal salt type. (verify_securid_data_2() does the same thing.)
But if that call to krb5_dbe_find_enctype() is changed to allow any
salt type, then it works.
More information about the krb5-bugs
mailing list