Extending certauth plugin to set ticket flags?

Ken Hornstein kenh at cmf.nrl.navy.mil
Mon Feb 24 15:06:56 EST 2020


>That would work, but I'd rather not add a config option for this
>feature.  Ever config option adds to the oversized bin of config options
>that every administrator has to sort through in the documentation.
>(Having undocumented config options isn't great either.)

I understand where you're coming from; I am really flexible here.
If you are happy with PKINIT always setting PA_HARDWARE then so am I.

I understand this is a weird mix of old and new code and the older-style
authentication indicators like TKT_FLG_HW_AUTH; my goal here is to
get our community on a long-term sustainable path in terms of code
maintenance.  Getting from here to there isn't always easy.

>I did notice that when the client principal has +requires_hwauth and
>PKINIT doesn't set the hw-authent flag, the result is a preauth loop
>(terminating with "Looping detected inside krb5_get_in_tkt").  It's
>unclear what piece of code should change to prevent this, if any.

Ah, yes, I know that error well :-/

--Ken


More information about the krbdev mailing list