[32530] in Kerberos
Re: kerberos, pre_auth, and smartcards
daemon@ATHENA.MIT.EDU (Russ Allbery)
Tue Jul 27 16:44:00 2010
From: Russ Allbery <rra@stanford.edu>
To: "kerberos\@mit.edu" <kerberos@mit.edu>
In-Reply-To: <1280261254.3976.982.camel@ray> (Greg Hudson's message of "Tue,
27 Jul 2010 16:07:34 -0400")
Date: Tue, 27 Jul 2010 13:43:54 -0700
Message-ID: <87r5iou039.fsf@windlord.stanford.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Greg Hudson <ghudson@MIT.EDU> writes:
> preauth-required doesn't specify which kind of preauth is required. The
> client is proving its knowledge of the password using a much simpler
> mechanism called "encrypted timestamp", and that's sufficient for the
> KDC to issue a ticket.
> Currently, if you want to specifically require pkinit, you'll need to
> randomize the principal's key so that there is no valid password.
I thought setting requires_hwauth on the principal should force PKINIT.
Does this not work the way that I thought it did?
--
Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
