|
|
|
|
|
|
|
|
|
|
|
|
| home | help | back | first | fref | pref | prev | next | nref | lref | last | post |
To: Ken Hornstein <kenh@cmf.nrl.navy.mil> From: Greg Hudson <ghudson@mit.edu> Message-ID: <8d4b0b38-8b3b-2107-b793-af3f713f79c3@mit.edu> Date: Fri, 21 Feb 2020 12:31:01 -0500 MIME-Version: 1.0 In-Reply-To: <202002182333.01INXO7s007733@hedwig.cmf.nrl.navy.mil> Content-Language: en-US Cc: krbdev@mit.edu Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: krbdev-bounces@mit.edu On 2/18/20 6:33 PM, Ken Hornstein wrote: >> 2. Designate a magic authentication indicator value (probably "hwauth"). >> In the core KDC code near the end of AS-REQ processing, check if this >> indicator is asserted and set the hw-authent bit. > > I'd be happy with this. Unfortunately, this approach turns out to be difficult to implement properly. (Authdata handling happens late in the AS-REQ process, and can affect the set of indicators. Checking the server principal's hardware authentication requirement against the ticket flags happens earlier, and if that check fails, we have to produce a hint list, which is an async process, so it's not easy to move the check later.) So I will probably go with the designated authorize() return code, if that meets the requirements. _______________________________________________ krbdev mailing list krbdev@mit.edu https://mailman.mit.edu/mailman/listinfo/krbdev
|
|
|
|
|
|
|
|
|
|
|
|
| home | help | back | first | fref | pref | prev | next | nref | lref | last | post |