[32533] in Kerberos
Re: kerberos, pre_auth, and smartcards
daemon@ATHENA.MIT.EDU (Will Fiveash)
Tue Jul 27 21:51:42 2010
Date: Tue, 27 Jul 2010 20:50:49 -0500
From: Will Fiveash <will.fiveash@oracle.com>
To: Greg Hudson <ghudson@mit.edu>
Message-ID: <20100728015049.GA8971@sun.com>
Mail-Followup-To: Greg Hudson <ghudson@MIT.EDU>,
Russ Allbery <rra@stanford.edu>,
"kerberos@mit.edu" <kerberos@MIT.EDU>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <1280264802.3976.986.camel@ray>
Cc: "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Tue, Jul 27, 2010 at 05:06:42PM -0400, Greg Hudson wrote:
> On Tue, 2010-07-27 at 16:43 -0400, Russ Allbery wrote:
> > I thought setting requires_hwauth on the principal should force PKINIT.
> > Does this not work the way that I thought it did?
>
> I can't find anything in our code which would set the HW-AUTHENT ticket
> flag for pkinit preauth. Only SAM preauth appears to do that.
>
> It's theoretically possible for a KDC to have evidence of whether PKINIT
> preauth was done with hardware or software private keys, but only with
> help from the admin, and we don't have that kind of configuration.
I started a thread on this earlier, search for the following in the
archives:
Date: Tue, 9 Feb 2010 19:05:32 -0600
From: Will Fiveash <William.Fiveash@Sun.COM>
To: MIT Kerberos Dev List <krbdev@MIT.EDU>
Subject: HW-AUTHENT flag question
Message-ID: <20100210010532.GB14762@sun.com>
--
Will Fiveash
Oracle
Note my new work e-mail address: will.fiveash@oracle.com
http://opensolaris.org/os/project/kerberos/
Sent using mutt, a sweet text based e-mail app: http://www.mutt.org/
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
