Authentication strength and ticket policy

Matt Rogers mrogers at
Tue Sep 13 15:57:00 EDT 2016

On the call we briefly discussed the request to be able to influence
the ticket lifetime based on the preauth method used (ie. shorter
lifetimes for 2FA tickets).  It would be good to continue the
discussion here. 

To summarize, my understanding is that there is not a good way to do
this with auth indicators and the current AS/TGS policy code. The
authentication level may be desireable for influencing not just ticket
lifetime but other bits of policy, like the session key type, so we
would need a type of KDC policy interface (KDB?) in order to be
sufficiently generic. Then at that point plugins can be written to
support these kinds of policy decisions.


More information about the krbdev mailing list