attribute to require pkinit?
Sam Hartman
hartmans at MIT.EDU
Fri Dec 1 11:27:05 EST 2006
>>>>> "Kevin" == Kevin Coffman <kwc at citi.umich.edu> writes:
Kevin> On 11/29/06, Sam Hartman <hartmans at mit.edu> wrote:
>> >>>>> "Kevin" == Kevin Coffman <kwc at citi.umich.edu> writes:
>>
Kevin> On 11/29/06, Clifford Neuman <bcn at isi.edu> wrote:
>> >> I dont' think that overloading hw_auth is the right thing.
>> >>
>> >> However, wouldn't it require pkinit if the database entry
>> did >> not have a secret key usable for direct authentication.
>>
Kevin> I interpret this as "randomize the user's key/password" so
Kevin> that the only way they could possibly authenticate is with
Kevin> pkinit. Is that correct?
>>
>>
>> no, I think he means a principal with no keys.
>>
>> This would be a reasonable approach, but it turns out it would
>> at least break the LDAP backend. Fixing the LDAP backend would
>> probably be desirable.
Kevin> If I understood correctly, yesterday you suggested that a
Kevin> new attribute indicating "Preauthentication with Key
Kevin> Replacement Required" would be acceptably generic and meet
Kevin> these needs. Is that correct?
While true, we concluded that no one on the call actually had a need
to solve this problem and so we marked it as completed.
--Sam
More information about the krbdev
mailing list