attribute to require pkinit?

Ken Renard kdrenard at
Wed Nov 29 10:17:59 EST 2006

How about an attribute that lists the acceptable preauth types for a  
user [combined with preauth_required flag]?  The "hw_auth" flag would  
be a complementary attribute that might limit the acceptable client  
certificates to those known to be on a smartcard.

This maintains the client's ability to select an acceptable preauth  
type based on their current capabilities (smartcard reader attached?  
SecurID card in hand?)

-Ken Renard

On Nov 29, 2006, at 9:28 AM, Sam Hartman wrote:

>>>>>> "Kevin" == Kevin Coffman <kwc at> writes:
>     Kevin> Is there a need/desire to have a per-principal db attribute
>     Kevin> which requires a user to use pkinit to authenticate?
> That sounds like it would be too much of a tie between the base code
> and pkinit without some abstraction.
> I wonder whether overloading the hw_auth attribute is sufficient.
> _______________________________________________
> krbdev mailing list             krbdev at

More information about the krbdev mailing list