>Is there a need/desire to have a per-principal db attribute which >requires a user to use pkinit to authenticate? I can think of cases where it would be useful (we make use of the feature to require some users to use hardware preauth). --Ken