attribute to require pkinit?
Nicolas.Williams at sun.com
Wed Nov 29 13:23:41 EST 2006
On Wed, Nov 29, 2006 at 09:28:29AM -0500, Sam Hartman wrote:
> >>>>> "Kevin" == Kevin Coffman <kwc at citi.umich.edu> writes:
> Kevin> Is there a need/desire to have a per-principal db attribute
> Kevin> which requires a user to use pkinit to authenticate?
> That sounds like it would be too much of a tie between the base code
> and pkinit without some abstraction.
Why? Reserve some flag bits for pre-auths, allow third parties to
register such flags and you're done.
Of course, a string would be better.
> I wonder whether overloading the hw_auth attribute is sufficient.
No, neither is it sufficient to overload lack of keys.
More information about the krbdev