Extending certauth plugin to set ticket flags?

[Ken Hornstein]

>2. Designate a magic authentication indicator value (probably "hwauth").
> In the core KDC code near the end of AS-REQ processing, check if this
>indicator is asserted and set the hw-authent bit.

I'd be happy with this.  I agree with you that it does fit in the notion
that hw-authent is legacy, and it provides a reasonable transition
strategy since it's clear that auth indicators make more long-term sense
for application servers to use (since for a transition period you'd need
to do both the hw-authent flag and an auth indicator).  It does occur
to me that if you were concerned about enroaching into the site-defined
auth data namespace, you could create a KDC configuration option that
says "Set the HW-AUTH flag if this auth indicator is set".  That would
be a slightly larger code footprint, though.  Either case (a hard-coded
magic auth indicator, or a configurable one) would be perfect.

--Ken