attribute to require pkinit?
Nicolas Williams
Nicolas.Williams at sun.com
Wed Nov 29 13:16:33 EST 2006
On Wed, Nov 29, 2006 at 12:54:05PM -0500, Sam Hartman wrote:
> >>>>> "Ken" == Ken Renard <kdrenard at wareonearth.com> writes:
>
> Ken> How about an attribute that lists the acceptable preauth
> Ken> types for a user [combined with preauth_required flag]? The
> Ken> "hw_auth" flag would be a complementary attribute that might
> Ken> limit the acceptable client certificates to those known to be
> Ken> on a smartcard.
>
>
> This is both clearly the right answer and very difficult to implement,
> which is why I did not mention it.
Why is it difficult to implement? Because of the LDAP KDB backend?
Nico
--
More information about the krbdev
mailing list