attribute to require pkinit?

Sam Hartman hartmans at MIT.EDU
Wed Nov 29 14:06:05 EST 2006

>>>>> "Nicolas" == Nicolas Williams <Nicolas.Williams at> writes:

    Nicolas> On Wed, Nov 29, 2006 at 12:54:05PM -0500, Sam Hartman
    Nicolas> wrote:
    >> >>>>> "Ken" == Ken Renard <kdrenard at> writes:
    Ken> How about an attribute that lists the acceptable preauth
    Ken> types for a user [combined with preauth_required flag]?  The
    Ken> "hw_auth" flag would be a complementary attribute that might
    Ken> limit the acceptable client certificates to those known to be
    Ken> on a smartcard.
    >> This is both clearly the right answer and very difficult to
    >> implement, which is why I did not mention it.

    Nicolas> Why is it difficult to implement?  Because of the LDAP
    Nicolas> KDB backend?

More because of the kadm5 API and the db2 backend.
I think the LDAP side is easy.

More information about the krbdev mailing list