Extending certauth plugin to set ticket flags?
Ken Hornstein
kenh at cmf.nrl.navy.mil
Fri Feb 21 13:11:21 EST 2020
>>> 2. Designate a magic authentication indicator value (probably "hwauth").
>>> In the core KDC code near the end of AS-REQ processing, check if this
>>> indicator is asserted and set the hw-authent bit.
>>
>> I'd be happy with this.
>
>Unfortunately, this approach turns out to be difficult to implement
>properly. (Authdata handling happens late in the AS-REQ process, and
>can affect the set of indicators. Checking the server principal's
>hardware authentication requirement against the ticket flags happens
>earlier, and if that check fails, we have to produce a hint list, which
>is an async process, so it's not easy to move the check later.)
Well, I will defer to your knowledge of the KDC AS-REQ processing path,
and "perfect is the enemy of the good" and all that. If you are fine
with a designated authorize_cert return code, then so am I.
--Ken
More information about the krbdev
mailing list