Extending certauth plugin to set ticket flags?

[Greg Hudson]

On 2/22/20 9:07 AM, Ken Hornstein wrote:
>> Does your custom PKINIT module set the PA_HARDWARE flag in
>> pkinit_server_get_flags()?  That would be necessary to make PKINIT work
>> with client principals flagged with +requires_hwauth, but perhaps you're
>> not doing that.
> 
> The answer is ... yes.  Ah, crud, I had forgotten about that.  Perhaps
> the right solution there is to create a configuration option in
> krb5.conf/kdc.conf that will tell pkinit to set that?

That would work, but I'd rather not add a config option for this
feature.  Ever config option adds to the oversized bin of config options
that every administrator has to sort through in the documentation.
(Having undocumented config options isn't great either.)

The simplest option is to make PKINIT always set PA_HARDWARE, with a
comment.  The risk of breaking any deployments with this change seems
low, since PKINIT readily configures itself out on either the KDC and
the client, and not many deployments use +requires_hwauth or the
hw-authent flag.

More surgically, PKINIT could only set PA_HARDWARE when a certauth
module might set hw-authent (we'd have to make some tweak to the
certauth changes to make it possible to tell this at initialization
time).  Unfortunately, that option doesn't work, because the kdcpreauth
flags() method doesn't take a moddata argument.

I did notice that when the client principal has +requires_hwauth and
PKINIT doesn't set the hw-authent flag, the result is a preauth loop
(terminating with "Looping detected inside krb5_get_in_tkt").  It's
unclear what piece of code should change to prevent this, if any.