attribute to require pkinit?

Sam Hartman hartmans at MIT.EDU
Wed Nov 29 12:55:59 EST 2006

>>>>> "Kevin" == Kevin Coffman <kwc at> writes:

    Kevin> On 11/29/06, Clifford Neuman <bcn at> wrote:
    >> I dont' think that overloading hw_auth is the right thing.
    >> However, wouldn't it require pkinit if the database entry did
    >> not have a secret key usable for direct authentication.

    Kevin> I interpret this as "randomize the user's key/password" so
    Kevin> that the only way they could possibly authenticate is with
    Kevin> pkinit.  Is that correct?

no, I think he means a principal with no keys.

This would be a reasonable approach, but it turns out it would at
least break the LDAP backend.  Fixing the LDAP backend would probably
be desirable.

More information about the krbdev mailing list