attribute to require pkinit?

Sam Hartman hartmans at MIT.EDU
Fri Dec 1 11:27:05 EST 2006

>>>>> "Kevin" == Kevin Coffman <kwc at> writes:

    Kevin> On 11/29/06, Sam Hartman <hartmans at> wrote:
    >> >>>>> "Kevin" == Kevin Coffman <kwc at> writes:
    Kevin> On 11/29/06, Clifford Neuman <bcn at> wrote:
    >> >> I dont' think that overloading hw_auth is the right thing.
    >> >>
    >> >> However, wouldn't it require pkinit if the database entry
    >> did >> not have a secret key usable for direct authentication.
    Kevin> I interpret this as "randomize the user's key/password" so
    Kevin> that the only way they could possibly authenticate is with
    Kevin> pkinit.  Is that correct?
    >> no, I think he means a principal with no keys.
    >> This would be a reasonable approach, but it turns out it would
    >> at least break the LDAP backend.  Fixing the LDAP backend would
    >> probably be desirable.

    Kevin> If I understood correctly, yesterday you suggested that a
    Kevin> new attribute indicating "Preauthentication with Key
    Kevin> Replacement Required" would be acceptably generic and meet
    Kevin> these needs.  Is that correct?

While true, we concluded that no one on the call actually had a need
to solve this problem and so we marked it as completed.


More information about the krbdev mailing list