attribute to require pkinit?
Sam Hartman
hartmans at MIT.EDU
Wed Nov 29 12:55:59 EST 2006
>>>>> "Kevin" == Kevin Coffman <kwc at citi.umich.edu> writes:
Kevin> On 11/29/06, Clifford Neuman <bcn at isi.edu> wrote:
>> I dont' think that overloading hw_auth is the right thing.
>>
>> However, wouldn't it require pkinit if the database entry did
>> not have a secret key usable for direct authentication.
Kevin> I interpret this as "randomize the user's key/password" so
Kevin> that the only way they could possibly authenticate is with
Kevin> pkinit. Is that correct?
no, I think he means a principal with no keys.
This would be a reasonable approach, but it turns out it would at
least break the LDAP backend. Fixing the LDAP backend would probably
be desirable.
More information about the krbdev
mailing list