[20028] in Kerberos_V5_Development
Re: Extending certauth plugin to set ticket flags?
daemon@ATHENA.MIT.EDU (Ken Hornstein)
Tue Feb 18 18:33:54 2020
Message-ID: <202002182333.01INXO7s007733@hedwig.cmf.nrl.navy.mil>
From: Ken Hornstein <kenh@cmf.nrl.navy.mil>
To: Greg Hudson <ghudson@mit.edu>
In-Reply-To: <5da4e962-5b2e-cd2d-5e10-cdbd5d90fbbd@mit.edu>
MIME-Version: 1.0
Date: Tue, 18 Feb 2020 18:33:23 -0500
Cc: krbdev@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
>2. Designate a magic authentication indicator value (probably "hwauth").
> In the core KDC code near the end of AS-REQ processing, check if this
>indicator is asserted and set the hw-authent bit.
I'd be happy with this. I agree with you that it does fit in the notion
that hw-authent is legacy, and it provides a reasonable transition
strategy since it's clear that auth indicators make more long-term sense
for application servers to use (since for a transition period you'd need
to do both the hw-authent flag and an auth indicator). It does occur
to me that if you were concerned about enroaching into the site-defined
auth data namespace, you could create a KDC configuration option that
says "Set the HW-AUTH flag if this auth indicator is set". That would
be a slightly larger code footprint, though. Either case (a hard-coded
magic auth indicator, or a configurable one) would be perfect.
--Ken
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
