Extending certauth plugin to set ticket flags?
Ken Hornstein
kenh at cmf.nrl.navy.mil
Mon Feb 24 15:06:56 EST 2020
>That would work, but I'd rather not add a config option for this
>feature. Ever config option adds to the oversized bin of config options
>that every administrator has to sort through in the documentation.
>(Having undocumented config options isn't great either.)
I understand where you're coming from; I am really flexible here.
If you are happy with PKINIT always setting PA_HARDWARE then so am I.
I understand this is a weird mix of old and new code and the older-style
authentication indicators like TKT_FLG_HW_AUTH; my goal here is to
get our community on a long-term sustainable path in terms of code
maintenance. Getting from here to there isn't always easy.
>I did notice that when the client principal has +requires_hwauth and
>PKINIT doesn't set the hw-authent flag, the result is a preauth loop
>(terminating with "Looping detected inside krb5_get_in_tkt"). It's
>unclear what piece of code should change to prevent this, if any.
Ah, yes, I know that error well :-/
--Ken
More information about the krbdev
mailing list