Extending certauth plugin to set ticket flags?

Greg Hudson ghudson at mit.edu
Fri Feb 21 12:31:01 EST 2020


On 2/18/20 6:33 PM, Ken Hornstein wrote:
>> 2. Designate a magic authentication indicator value (probably "hwauth").
>> In the core KDC code near the end of AS-REQ processing, check if this
>> indicator is asserted and set the hw-authent bit.
> 
> I'd be happy with this.

Unfortunately, this approach turns out to be difficult to implement
properly.  (Authdata handling happens late in the AS-REQ process, and
can affect the set of indicators.  Checking the server principal's
hardware authentication requirement against the ticket flags happens
earlier, and if that check fails, we have to produce a hint list, which
is an async process, so it's not easy to move the check later.)

So I will probably go with the designated authorize() return code, if
that meets the requirements.


More information about the krbdev mailing list