attribute to require pkinit?

Nicolas Williams Nicolas.Williams at
Wed Nov 29 13:16:33 EST 2006

On Wed, Nov 29, 2006 at 12:54:05PM -0500, Sam Hartman wrote:
> >>>>> "Ken" == Ken Renard <kdrenard at> writes:
>     Ken> How about an attribute that lists the acceptable preauth
>     Ken> types for a user [combined with preauth_required flag]?  The
>     Ken> "hw_auth" flag would be a complementary attribute that might
>     Ken> limit the acceptable client certificates to those known to be
>     Ken> on a smartcard.
> This is both clearly the right answer and very difficult to implement,
> which is why I did not mention it.

Why is it difficult to implement?  Because of the LDAP KDB backend?


More information about the krbdev mailing list