attribute to require pkinit?
Kevin Coffman
kwc at citi.umich.edu
Fri Dec 1 10:23:16 EST 2006
On 11/29/06, Sam Hartman <hartmans at mit.edu> wrote:
> >>>>> "Kevin" == Kevin Coffman <kwc at citi.umich.edu> writes:
>
> Kevin> On 11/29/06, Clifford Neuman <bcn at isi.edu> wrote:
> >> I dont' think that overloading hw_auth is the right thing.
> >>
> >> However, wouldn't it require pkinit if the database entry did
> >> not have a secret key usable for direct authentication.
>
> Kevin> I interpret this as "randomize the user's key/password" so
> Kevin> that the only way they could possibly authenticate is with
> Kevin> pkinit. Is that correct?
>
>
> no, I think he means a principal with no keys.
>
> This would be a reasonable approach, but it turns out it would at
> least break the LDAP backend. Fixing the LDAP backend would probably
> be desirable.
If I understood correctly, yesterday you suggested that a new
attribute indicating "Preauthentication with Key Replacement Required"
would be acceptably generic and meet these needs. Is that correct?
K.C.
More information about the krbdev
mailing list