attribute to require pkinit?

[Kevin Coffman]

On 11/29/06, Clifford Neuman <bcn at isi.edu> wrote:
> I dont' think that overloading hw_auth is the right thing.
>
> However, wouldn't it require pkinit if the database entry did not have a
> secret key usable for direct authentication.

I interpret this as "randomize the user's key/password" so that the
only way they could possibly authenticate is with pkinit.  Is that
correct?