[32532] in Kerberos
Re: kerberos, pre_auth, and smartcards
daemon@ATHENA.MIT.EDU (Greg Hudson)
Tue Jul 27 17:06:46 2010
From: Greg Hudson <ghudson@mit.edu>
To: Russ Allbery <rra@stanford.edu>
In-Reply-To: <87r5iou039.fsf@windlord.stanford.edu>
Date: Tue, 27 Jul 2010 17:06:42 -0400
Message-ID: <1280264802.3976.986.camel@ray>
Mime-Version: 1.0
Cc: "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Tue, 2010-07-27 at 16:43 -0400, Russ Allbery wrote:
> I thought setting requires_hwauth on the principal should force PKINIT.
> Does this not work the way that I thought it did?
I can't find anything in our code which would set the HW-AUTHENT ticket
flag for pkinit preauth. Only SAM preauth appears to do that.
It's theoretically possible for a KDC to have evidence of whether PKINIT
preauth was done with hardware or software private keys, but only with
help from the admin, and we don't have that kind of configuration.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
