[19964] in Kerberos_V5_Development
Re: KDB access to auth indicators (was Re: Proposed libkrb5 APIs for
daemon@ATHENA.MIT.EDU (Alexander Bokovoy)
Thu Aug 8 02:02:07 2019
Date: Thu, 8 Aug 2019 09:01:49 +0300
From: Alexander Bokovoy <abokovoy@redhat.com>
To: Greg Hudson <ghudson@mit.edu>
Message-ID: <20190808060149.GE28772@redhat.com>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <bc98524c-6470-6a81-8bd2-a01e558424df@mit.edu>
Cc: krbdev@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
On ke, 07 elo 2019, Greg Hudson wrote:
>On 8/3/19 4:08 AM, Alexander Bokovoy wrote:
>> So, if there would be a way to pass a mutable list of authentication
>> indicators to fetch_kdb_authdata() (which would pass it to a KDB's
>> sign_authdata callback) and add it to the ticket reply afterwards, that
>> would solve our case.
>
>Please have a look at https://github.com/krb5/krb5/pull/965 and see if
>that will work.
Thanks. This looks good. I'm at Flock conference this week but I'll try
to change FreeIPA to see if it works for OTP tokens, i.e. if I would be
able to deny access to a specific Samba share if user doesn't possess
2FA asserted SID in the MS-PAC.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
