attribute to require pkinit?

Kevin Coffman kwc at
Fri Dec 1 10:23:16 EST 2006

On 11/29/06, Sam Hartman <hartmans at> wrote:
> >>>>> "Kevin" == Kevin Coffman <kwc at> writes:
>     Kevin> On 11/29/06, Clifford Neuman <bcn at> wrote:
>     >> I dont' think that overloading hw_auth is the right thing.
>     >>
>     >> However, wouldn't it require pkinit if the database entry did
>     >> not have a secret key usable for direct authentication.
>     Kevin> I interpret this as "randomize the user's key/password" so
>     Kevin> that the only way they could possibly authenticate is with
>     Kevin> pkinit.  Is that correct?
> no, I think he means a principal with no keys.
> This would be a reasonable approach, but it turns out it would at
> least break the LDAP backend.  Fixing the LDAP backend would probably
> be desirable.

If I understood correctly, yesterday you suggested that a new
attribute indicating "Preauthentication with Key Replacement Required"
would be acceptably generic and meet these needs.  Is that correct?


More information about the krbdev mailing list